WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS)

vendor:

Contact Form by Supsystic

by:

Murat DEMIRCI

9.8

CVSS

CRITICAL

Stored Cross-Site Scripting (XSS)

CWE

Product Name: Contact Form by Supsystic

Affected Version From: 1.7.18

Affected Version To: 1.7.18

Patch Exists: NO

Related CWE:

CPE: a:supsystic:contact_form_by_supsystic:1.7.18

Metasploit:

Other Scripts:

Platforms Tested: Windows 10

2021

WordPress Plugin Supsystic Contact Form 1.7.18 – ‘label’ Stored Cross-Site Scripting (XSS)

A stored cross-site scripting (XSS) vulnerability exists in WordPress Plugin Supsystic Contact Form 1.7.18. An attacker can inject a malicious JavaScript payload into the 'label' field, which will be executed when the page is viewed by an authenticated user.

Mitigation:

Ensure that user input is properly sanitized and validated before being stored and displayed.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin Supsystic Contact Form  1.7.18 - 'label' Stored Cross-Site Scripting (XSS)
# Date: 10/27/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://supsystic.com/
# Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/
# Version: 1.7.18
# Tested on : Windows 10

#Poc:

1. Install Latest WordPress

2. Install and activate plugin.

3. Open plugin, click "Add New Form" and select any form. 

4. Click "Fields" tab and "Add New Field". Choose whatever you want.

5. Inject JavaScript payload which is mentioned below into 'label' field, save and alert will appear on the screen.

Payload : <img src=x onerror=alert(1)>