WordPress Contact Forms by Cimatti < 1.4.12 – Admin+ Stored Cross-Site Scripting | CVE 2021-24744 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

Proof of Concept

1. go to Forms.
2. go to Add New Form
3. In th title put <script>alert("Ehlo");</script>
4. Save setting and then go to the urls: https://example.com/wp-admin/admin.php?page=accua_forms_submissions_list and https://example.com/wp-admin/admin.php?page=accua_forms_list

Affects Plugins

Fixed in 1.4.12

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Felipe Restrepo Rodriguez, Sebastian Cruz Cardona

Submitter

Sebastian Cruz Cardona

Submitter website

https://pfelilpe.com

Verified

Yes

WPVDB ID

702a4283-1fd6-4186-9db7-6ad387d714ea

Timeline

Publicly Published

2021-09-27 (about 2 years ago)

Added

2021-09-27 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2021-09-20

Title

Gutenberg PDF Viewer Block < 1.0.1 - Contributor+ Stored Cross-Site Scripting

Published

2023-04-26

Title

SEO ALert <= 1.59 - Admin+ Stored XSS

Published

2023-10-03

Title

Form Maker by 10Web < 1.15.19 - Reflected XSS

Published

2022-03-15

Title

GridKit Portfolio < 2.1.0 - Subscriber+ Stored Cross-Site Scripting

Published

2023-05-09

Title

Vertical Image Slider < 1.2.17 - Reflected XSS