Ultimate Addons for Contact Form 7 < 3.1.29 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PoC

1. Ensure Contact Form 7 is installed, along with this plugin 2. Visit Contact > Ultimate Addons, ensure “Pre-populate Field” is checked, and click Save. 3. Visit Contact > Contact Forms and click “Edit” for a form. 4. Click the button “UACF7 pre-populate Fields”. 5. In the “Redirect URL” field enter ![](x). 6. Click the “Add Field” button to ensure at least one field is added, and click “Save”. 7. Submit the following form in another tab and see the alert trigger: