On February 24th, 2024, during our second Bug Bounty Extravaganza, we received a submission for a stored Cross-Site Scripting vulnerability in Contact Form Entries, a WordPress plugin with more than 60,000+ active installations.
The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin's shortcode.
Props to Krzysztof Zając who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program.
Our mission is to Secure the Web, so we are proud to continue investing in vulnerability research like this and collaborating with researchers of this caliber through our Bug Bounty Program.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall's built-in Cross-Site Scripting protection.
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes.
Contact Form Entries is a plugin designed to allow WordPress users to save form submissions from many other popular contact form plugins to the WordPress database.
It provides a shortcode that displays form entries in a table when added to a WordPress page.
Insecure implementation of the plugin's shortcode functionality allows for the injection of arbitrary web scripts into these pages.
The 'font-size' attribute value is used for id, which is not relevant to the vulnerability.
The most significant problem and vulnerability is caused by the fact that the second esc html() function escapes the quotation marks, meaning that the user input value will no longer be enclosed within quotation marks.
Let's take an example where the shortcode id attribute is used as an HTML attribute, similarly as in the plugin.
February 24, 2024 - We receive the submission of the stored Cross-Site Scripting vulnerability in Contact Form Entries via the Wordfence Bug Bounty Program.
February 29, 2024 - We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
In this blog post, we detailed a stored Cross-Site Scripting vulnerability within the Contact Form Entries plugin affecting versions 1.3.3 and earlier.
This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page.
The vulnerability has been fully addressed in version 1.3.4 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Contact Form Entries.
All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against this vulnerability.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
This Cyber News was published on www.wordfence.com. Publication date: Mon, 18 Mar 2024 15:28:05 +0000