Contact Form Clean and Simple < 4.7.1 – Authenticated Stored XSS | Plugin Vulnerabilities

Description

The Contact Form Clean and Simple WordPress plugin was vulnerable to Authenticated stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin's options. This code will then be executed on every page with the contact form on the front-end.

Proof of Concept

By checking the consent checkbox and then adding malicious code to the consent message box, users on the front-end are then subject to this code.  

Video Poc: https://www.youtube.com/watch?v=mKg0TUqEhC8

Affects Plugins

clean-and-simple-contact-form-by-meg-nicholas

Fixed in 4.7.1

References

URL

https://plugins.trac.wordpress.org/changeset/2232279/clean-and-simple-contact-form-by-meg-nicholas

URL

https://jrjmulder.nl/plugins/contact-form-clean-and-simple-4-7-0-authenticated-stored-xss/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Jeroen Mulder

Submitter

Jeroen Mulder

Submitter website

https://jrjmulder.nl

Verified

No

WPVDB ID

707baf41-69d6-45ba-8901-1edbb75a949e

Timeline

Publicly Published

2020-01-22 (about 6 years ago)

Added

2020-01-22 (about 6 years ago)

Last Updated

2020-02-16 (about 6 years ago)

Other

Published

Title

Published

2025-01-16

Title

WordPress 淘宝客插件 <= 1.1.2 - Reflected Cross-Site Scripting

Published

2023-10-02

Title

Regpack <= 0.1 - Admin+ Stored XSS

Published

2023-01-24

Title

Customer Reviews for WooCommerce < 5.17.0 - Contributor+ Stored XSS

Published

2017-08-24

Title

FG PrestaShop for WooCommerce < 3.20.0 - XSS

Published

2026-04-27

Title

Woostify < 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lity.js Library via data-lity Attribute in Custom HTML Block