Datas are not escaped correctly.
File: contact-form-to-email\cp-main-class.inc.php (I skip unnecessary lines)
XSS is visible for admin.
Proof of Concept:
We assume that admin uses default form with “subject” field and doesn’t use captcha.
If not, use form directly on website and put XSS in any field.
XSS will be visible for admin:
- 19-10-2014: Discovered
- 08-11-2014: Vendor notified
- 08-11-2014: Version 1.0.1 released, issue resolved