Contact Form 7 Connector < 1.2.3 - Reflected XSS

2024-01-0900:00:00

Krzysztof Zając (CERT PL)

wpscan.com

wordpress

plugin

security

cross-site scripting

administrator

vulnerability

AI Score

5.9

Confidence

High

EPSS

0.001

Percentile

17.0%

JSON

Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators.

PoC

http://vulnerable-site.tld/wp-admin/admin.php?page=ari-cf7connector-log&format;=html&log;=