How it works Pricing

Vulnerabilities

WordPress Plugins Themes Stats Submit vulnerabilities

For developers

Status API details CLI scanner

WordPress Plugin Vulnerabilities

Contact Form by Supsystic < 1.7.7 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The label field (Form name) was vulnerable to stored Cross-Site Scripting issue.

Proof of Concept

When creating or editing a form, use the following payload as a Form name (label field): "><script>alert(1)</script><!--', which will be executed when viewing the "Show All Forms" section, as well as when opening the Contact Details of a user having submitted to the affected form.

Affects Plugins

contact-form-by-supsystic

Fixed in version 1.7.7

References

ExploitDB

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Erik David Martin

Verified

Yes

WPVDB ID

a3146835-40f0-40ba-bde1-e2c0c9d0db97

Timeline

Publicly Published

2021-02-08 (about 2 years ago)

Added

2021-02-08 (about 2 years ago)

Last Updated

2021-02-09 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin