Contact Form 7 Integrations 1.0 - 1.3.10, Reflected XSS
The Contact Form 7 Integrations plugin for WordPress suffers from a Reflected XSS attack on a file which is included by the default plugin installation, named ‘includes/toAdmin.php’. If both the ‘uE’ and ‘uC’ QSAs are provided the input provided is output without undergoing validation, or encoding. A specifically crafted string in either of these QSAs can trigger an XSS vulnerability.
Update to to version 1.3.11
Proof of Concept
The following URL will trigger an alert to be triggered.
- 2014-09-16: Discovered
- 2014-09-16: Reported to vendor
- 2014-09-16: CVE requested
- 2014-09-17: Vendor responded, stating it’s being looked in to
- 2014-09-19: Vendor releases 1.3.11 – issue resolved
- 2014-09-19: CVE assigned
- 2014-09-26: Advisory released