Contact Form 7 Style <= 3.1.9 – Cross-Site Request Forgery to Stored Cross-Site Scripting | CVE 2021-24159

Description

Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the plugin. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

contact-form-7-style

No known fix

References

CVE

CVE-2021-24159

URL

https://www.wordfence.com/blog/2021/02/unpatched-vulnerability-50000-wp-sites-must-find-alternative-for-contact-form-7-style/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

CVSS

8.8 (high)

Miscellaneous

Original Researcher

Chloe Chamberland

Submitter

Chloe Chamberland

Submitter website

https://wordfence.com

Submitter twitter

infosecchloe

Verified

WPVDB ID

363182f1-9fda-4363-8f6a-be37c4c07aa9

Timeline

Publicly Published

2021-02-04 (about 3 years ago)

Added

2021-02-04 (about 3 years ago)

Last Updated

2021-02-20 (about 3 years ago)

Other

Published

Title

Published

2014-08-01

Title

foursquare-checkins - CSRF

Published

2023-11-28

Title

Button Generator < 2.3.9 - Button Counter Reset via CSRF

Published

2023-11-20

Title

Post Meta Data Manager < 1.2.2 - Cross-Site Request Forgery to Post, Term, and User Meta Deletion

Published

2014-08-01

Title

Centrora Security 3.2.1 - Multiple Admin Actions CSRF

Published

2023-10-18

Title

Google Calendar Events < 3.2.6 - Cross-Site Request Forgery (CSRF)