WordPress Plugin Easy Contact Form 1.1.7 - 'Name' Stored Cross-Site Scripting (XSS)

vendor:

Easy Contact Form Plugin

by:

Rahul Ramakant Singh

8.8

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: Easy Contact Form Plugin

Affected Version From: 1.1.7

Affected Version To: 1.1.7

Patch Exists: Yes

Related CWE: N/A

CPE: 2.3:a:ghozylab:easy_contact_form_plugin:1.1.7

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows

2021

WordPress Plugin Easy Contact Form 1.1.7 – ‘Name’ Stored Cross-Site Scripting (XSS)

A stored Cross-Site Scripting (XSS) vulnerability exists in WordPress Plugin Easy Contact Form 1.1.7. An attacker can inject malicious JavaScript payload in the 'Email Header' field which will be stored and reflected in the response. This can be exploited to execute arbitrary JavaScript code in the context of the affected website.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of the plugin.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin Easy Contact Form 1.1.7 - 'Name' Stored Cross-Site Scripting (XSS)
# Date: 14/01/2021
# Exploit Author: Rahul Ramakant Singh
# Vendor Homepage: https://ghozylab.com/plugins/
# Software Link: https://demo.ghozylab.com/plugins/easy-contact-form-plugin/
# Version: 1.1.7
# Tested on Windows

Steps:

1. Install WordPress 5.6
2. Install and activate *Contact Form Plugin* plugin.

3. Go to * Contact Form Plugin *plugin section and click on the add new form button.

4. Fill all required details and click on the save button and capture the request in a proxy tool like burp suite.

6. Append the JavaScript payload in the "Email Header" field as mentioned below

*"<sc><svg/onload=alert(454)>"*

5. You will observe that the payload successfully got stored and reflected into the response and the malicious JavaScript payload got executed successfully and we are getting a pop-up.