Bugtraq: Stored Cross-Site Scripting vulnerability in Contact Form WordPress Plugin

————————————————————————

Stored Cross-Site Scripting vulnerability in Contact Form WordPress

Plugin

————————————————————————

Julien Rentrop, July 2016

————————————————————————

Abstract

————————————————————————

A stored Cross-Site Scripting vulnerability was found in the Contact

Form WordPress Plugin. This issue allows an attacker to perform a wide

variety of actions, such as stealing users’ session tokens, or

performing arbitrary actions on their behalf. In order to exploit this

issue, the attacker has to lure/force a victim into opening a malicious

website/link.

————————————————————————

OVE ID

————————————————————————

OVE-20160712-0042

————————————————————————

Tested versions

————————————————————————

This issue was successfully tested on Contact Form by BestWebSoft

WordPress Plugin version 4.0.0.

————————————————————————

Fix

————————————————————————

This issue is partially resolved in Contact Form version 4.0.2.

————————————————————————

Details

————————————————————————

https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerabil

ity_in_contact_form_wordpress_plugin.html

————————————————————————

Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its

goal is to contribute to the security of popular, widely used OSS

projects in a fun and educational way.

[ reply ]

Source: SecurityFocus Vulnerabilities @ March 1, 2017 at 04:03AM

0
Share