Generate PDF using Contact Form 7 < 3.6 – Admin+ Stored Cross-Site Scripting | CVE 2022-3070

Description

The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

1 - Install and activate "Generate PDF using Contact Form 7 Version 3.5"
2 - Click on "Contact -> Add new" which is present at left side bar and create test contact form and save it.
3 - Click "Contact -> PDF with CF7" select test contact form from the drop down.
4 - Now add below mentioned xss script  to each and every input field as shown in video poc
"><img src=x onerror=confirm(document.cookie)>
5 - Now Click on Save Changes, once the page loaded completely you will see xss popup with your cookies
6 - Now let's check with another admin user, login with 2nd admin user
9 - Click on the "Contact -> PDF with CF7" which is present at the left side bar and select test contact form from the drop down.
10 - 2nd admin account also gets xss popup with cookies