vendor:
Contact Form by Supsystic
by:
Erik David Martin
7.5
CVSS
HIGH
SQLi, Stored XSS
89, 79
CWE
Product Name: Contact Form by Supsystic
Affected Version From: 1.7.5
Affected Version To: 1.7.5
Patch Exists: YES
Related CWE: N/A
CPE: a:supsystic:contact_form_by_supsystic:1.7.5
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: Ubuntu 16.04.6 LTS / WordPress 5.4.2
2020
WordPress Plugin Supsystic Contact Form 1.7.5 – Multiple Vulnerabilities
The GET parameter 'sidx' does not sanitize user input when searching for existing contact forms, allowing for SQL injection. The 'Edit name' and 'Contact information' features are vulnerable to stored XSS, allowing for malicious JavaScript to be executed.
Mitigation:
Sanitize user input when searching for existing contact forms, and ensure that user input is properly escaped when outputting to the page.
