WordPress Plugin Vulnerabilities

Ultimate Addons for Contact Form 7 < 3.1.29 - Reflected XSS

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Proof of Concept

1. Ensure Contact Form 7 is installed, along with this plugin
2. Visit Contact > Ultimate Addons, ensure "Database" is checked, and click Save.
3. Visit Contact > Ultimate DB, select a form, and Submit.
4. In the URL, append the following payload, and see the alert upon loading the new page: &s=%3Cimg%20src=x%20onerror=alert(/XSS/)%3E

Affects Plugins

Plugin icon
ultimate-addons-for-contact-form-7
Fixed in 3.1.29

References

CVE
CVE-2023-2803

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Henry1601
Submitter
Henry1601
Verified
Yes
WPVDB ID
ec640d47-bb22-478d-9668-1dab72f12f8d

Timeline

Publicly Published
2023-07-24 (about 4 months ago)
Added
2023-07-24 (about 4 months ago)
Last Updated
2023-07-24 (about 4 months ago)

Other

Published
Title
Published
2021-04-13
Title
WooLentor - WooCommerce Elementor Addons + Builder < 1.8.6 - Contributor+ Stored XSS
Published
2018-12-07
Title
Advanced Custom Fields <= 5.7.7 - Authenticated Cross-Site Scripting (XSS)
Published
2021-09-09
Title
Advance Search < 1.1.3 - Reflected Cross-Site Scripting
Published
2023-07-05
Title
SMTP Mail <= 1.3.14 - Unauthenticated Stored Cross-Site Scripting
Published
2022-05-09
Title
User Meta < 2.4.3 - Admin+ Stored Cross-Site Scripting