WordPress Plugin Vulnerabilities
Generate PDF using Contact Form 7 < 3.6 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Proof of Concept
1 - Install and activate "Generate PDF using Contact Form 7 Version 3.5" 2 - Click on "Contact -> Add new" which is present at left side bar and create test contact form and save it. 3 - Click "Contact -> PDF with CF7" select test contact form from the drop down. 4 - Now add below mentioned xss script to each and every input field as shown in video poc "><img src=x onerror=confirm(document.cookie)> 5 - Now Click on Save Changes, once the page loaded completely you will see xss popup with your cookies 6 - Now let's check with another admin user, login with 2nd admin user 9 - Click on the "Contact -> PDF with CF7" which is present at the left side bar and select test contact form from the drop down. 10 - 2nd admin account also gets xss popup with cookies
Affects Plugins
Fixed in version 3.6
References
Classification
Miscellaneous
Original Researcher
Anurag Bhoir
Submitter
Anurag Bhoir
Verified
Yes
Timeline
Publicly Published
2022-08-31 (about 9 months ago)
Added
2022-08-31 (about 9 months ago)
Last Updated
2022-08-31 (about 9 months ago)