Contact Form 7 Integrations 1.0 - 1.3.10, Reflected XSS

The Contact Form 7 Integrations plugin for WordPress suffers from a Reflected XSS attack on a file which is included by the default plugin installation, named ‘includes/toAdmin.php’. If both the ‘uE’ and ‘uC’ QSAs are provided the input provided is output without undergoing validation, or encoding. A specifically crafted string in either of these QSAs can trigger an XSS vulnerability.

Homepage

https://wordpress.org/plugins/contact-form-7-integrations/

CVSS Score

5

CSSS Vector

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Update to to version 1.3.11

Proof of Concept

The following URL will trigger an alert to be triggered.

http://localhost/wp-content/plugins/contact-form-7-integrations/includes/toAdmin.php?uE=1&uC=');alert('testing');</script>

Timeline

  • 2014-09-16: Discovered
  • 2014-09-16: Reported to vendor
  • 2014-09-16: CVE requested
  • 2014-09-17: Vendor responded, stating it’s being looked in to
  • 2014-09-19: Vendor releases 1.3.11 – issue resolved
  • 2014-09-19: CVE assigned
  • 2014-09-26: Advisory released