Add-on SweetAlert Contact Form 7 < 1.0.8 – Authenticated Stored Cross-Site Scripting (XSS) | Plugin Vulnerabilities

Description

Stored XSS "post-auth" in "tittle" field of the "Error Alert" and "Success Alert" sections of the plugin's settings page due to poor sanitization of entered characters.

When you enter the payload and save the changes, it is permanently embedded in the html code of the settings page, so all users who visit the plugin's settings can suffer the attack.

Edit (WPScanTeam):
May 13th, 2020 - Confirmed & Escalated to WP Plugin Team
May 21st, 2020 - v1.0.8 released, fixing the issu

Proof of Concept

Enter the following payload in the Title field of the Error Alert or Success Alert section in the plugin's settings: "onfocus=alert(/XSS/) autofocus="autofocus

Affects Plugins

addon-sweetalert-contact-form-7

Fixed in 1.0.8

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Juan M.

Submitter

Mike_JMSec

Submitter website

https://jaymonsecurity.com

Verified

Yes

WPVDB ID

2bfc1120-17fa-49bd-9d94-dbdba5ede1d6

Timeline

Publicly Published

2020-05-25 (about 5 years ago)

Added

2020-05-25 (about 5 years ago)

Last Updated

2020-05-25 (about 5 years ago)

Other

Published

Title

Published

2025-01-24

Title

Event post < 5.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-08-12

Title

WP Voting <= 1.8 - Reflected Cross-Site Scripting

Published

2021-10-25

Title

EditableTable <= 0.1.4 - Admin+ Stored Cross-Site Scripting

Published

2025-01-29

Title

VR-Frases (collect & share quotes) < 4.0 - Reflected Cross-Site Scripting

Published

2025-01-29

Title

WP Image Uploader <= 1.0.1 - Reflected Cross-Site Scripting