Form – Contact Form <= 1.2.4 – Admin+ Stored Cross-Site Scripting | CVE 2022-1326 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape Custom text fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

Create/edit a form, add a Custom Text field, put the following payload in it: <script>alert(/XSS/)</script>, save the field and update the form

The XSS will be triggered in page/post where the form is embed

Affects Plugins

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Fayçal CHENA

Submitter

Fayçal CHENA

Submitter website

https://fafachena.com/

Submitter twitter

Verified

Yes

WPVDB ID

f57615d9-a567-4c2a-9f06-2c6b61f56074

Timeline

Publicly Published

2022-06-03 (about 1 years ago)

Added

2022-06-03 (about 1 years ago)

Last Updated

2023-03-06 (about 1 years ago)

Other

Published

Title

Published

2014-08-01

Title

VideoJS - Cross-Site Scripting (XSS)

Published

2020-04-07

Title

WP Lead Plus X < 0.99 - Unauthenticated Stored Cross-Site Scripting (XSS)

Published

2019-05-04

Title

All-in-One Event Calendar <= 2.5.38 - Cross-Site Scripting (XSS)

Published

2013-03-05

Title

Count Per Day <= 3.2.5 - daytoshow Parameter XSS

Published

2024-01-05

Title

Happy Addons for Elementor (Free < 3.10.0, Pro < 2.10.0) - Reflected Cross-Site Scripting