WordPress Plugin Vulnerabilities

Generate PDF using Contact Form 7 < 3.6 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

1 - Install and activate "Generate PDF using Contact Form 7 Version 3.5"
2 - Click on "Contact -> Add new" which is present at left side bar and create test contact form and save it.
3 - Click "Contact -> PDF with CF7" select test contact form from the drop down.
4 - Now add below mentioned xss script  to each and every input field as shown in video poc
"><img src=x onerror=confirm(document.cookie)>
5 - Now Click on Save Changes, once the page loaded completely you will see xss popup with your cookies
6 - Now let's check with another admin user, login with 2nd admin user
9 - Click on the "Contact -> PDF with CF7" which is present at the left side bar and select test contact form from the drop down.
10 - 2nd admin account also gets xss popup with cookies

Affects Plugins

References

Classification

Type
XSS
CWE
CVSS

Miscellaneous

Original Researcher
Anurag Bhoir
Submitter
Anurag Bhoir
Verified
Yes

Timeline

Publicly Published
2022-08-31 (about 1 years ago)
Added
2022-08-31 (about 1 years ago)
Last Updated
2022-08-31 (about 1 years ago)

Other