WordPress Plugin Vulnerabilities
Contact Form 7 Style <= 3.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Description
Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the plugin. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.
Proof of Concept
The PoC will be displayed once the issue has been remediated.
Affects Plugins
References
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
No
WPVDB ID
Timeline
Publicly Published
2021-02-04 (about 3 years ago)
Added
2021-02-04 (about 3 years ago)
Last Updated
2021-02-20 (about 3 years ago)