The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
1 - Install and activate "Generate PDF using Contact Form 7 Version 3.5" 2 - Click on "Contact -> Add new" which is present at left side bar and create test contact form and save it. 3 - Click "Contact -> PDF with CF7" select test contact form from the drop down. 4 - Now add below mentioned xss script to each and every input field as shown in video poc "><img src=x onerror=confirm(document.cookie)> 5 - Now Click on Save Changes, once the page loaded completely you will see xss popup with your cookies 6 - Now let's check with another admin user, login with 2nd admin user 9 - Click on the "Contact -> PDF with CF7" which is present at the left side bar and select test contact form from the drop down. 10 - 2nd admin account also gets xss popup with cookies
Anurag Bhoir
Anurag Bhoir
Yes
2022-08-31 (about 9 months ago)
2022-08-31 (about 9 months ago)
2022-08-31 (about 9 months ago)