Send PDF for Contact Form 7 < 0.9.9.2 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

PoC

Exploit shortcode: [wpcf7pdf_download type=‘text’ class=‘" onmouseover=“alert(1)”’] Exploit link: http://localhost/exploit-page/?pdf-reference=63a3ddc576a74 Note: 1. The pdf reference value must be specified, which can be found in the Contact > Create PDF page - Last records section. 2. Contact Form 7 plugin is required.