Too Much Escaping Backfires, Allows Shortcode-Based XSS Vulnerability in Contact Form Entries WordPress Plugin

by | Mar 18, 2024 | Digital Marketing, Research, Vulnerabilities, WordPress Security

The article discusses a recent submission of a stored Cross-Site Scripting (XSS) vulnerability in the Contact Form Entries WordPress plugin during the Bug Bounty Extravaganza event. The vulnerability allows threat actors with contributor-level permissions to inject malicious web scripts into pages using the plugin’s shortcode. The researcher who discovered and reported the vulnerability earned a bounty of $132.00 through the Wordfence Bug Bounty Program.

Wordfence, a web security company, contacted the CRM Perks Team about the vulnerability and received a prompt response. The developer released a patch for the vulnerability in version 1.3.4 of the plugin. Wordfence urges users to update their sites with the latest patched version to protect against exploits targeting this vulnerability.

The article provides a vulnerability summary and technical analysis of the issue, explaining how the improper escaping in the plugin’s code allows for stored XSS attacks. It also includes an example of how the vulnerability could be exploited by an attacker.

The disclosure timeline reveals the steps taken by Wordfence to report and address the vulnerability, from receiving the submission to the release of the patched version of the plugin.

In conclusion, the article emphasizes the importance of updating to the latest version of Contact Form Entries to protect against the vulnerability. Wordfence reassures users that all Wordfence users, including those with premium or free versions of the plugin, are fully protected. It recommends sharing the advisory with others who use the plugin to ensure their sites remain secure.

Read Full Article



Pin It on Pinterest