Constant Contact Forms < 1.8.8 - Multiple Authenticated Stored XSS
Description
Multiple stored cross-site scripting vulnerabilities in Constant Contact Forms for WordPress 1.8.7 and lower allow high-privileged user (Editor+) to inject arbitrary Javascript code or HTML in posts where the malicious form is embed.
Proof of Concept
High-privileged user (Editor+) can exploit XSS via Add New Form's form parameters: - Button text - Field Description The stored script is executed for all the users visiting the website. ## Proof of Concept 1. Download and install "Constant Contact Forms for WordPress 1.8.7" from https://wordpress.org/plugins/constant-contact-forms/ 2. Go into "Contact Form" tab from the sidebar and create a new form by clicking on the "Add New Form" button. 3. Input an XSS vector to "Button text", "Field Description" fields, for example: " autofocus=true onfocus='alert(document.domain)'> 4. Save the changes and click on "Publish" (Editor role). 5. By visiting posts that have embedded shortcodes (Ex: `[ctct form="XXX"]`), the javaScript code injected would be executed.
Affects Plugins
Fixed in version 1.8.8✓
Classification
Miscellaneous
Original Researcher
Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)
Submitter
Nguyen Anh Tien
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2020-09-06 (about 1 years ago)
Added
2020-09-06 (about 1 years ago)
Last Updated
2021-01-21 (about 9 months ago)