MoBiC-29 Bonus: XSS in WP-ContactForm

22:58 29.11.2007

Continue our talk about last participant of the project - WP-ContactForm. It is plugin for WordPress. Vulnerable version is WP-ContactForm 2.0.7 (and previous versions).

This plugin with built-in captcha in addition to Insufficient Anti-automation is also vulnerable for XSS (like Math Comment Spam Protection). These Cross-Site Scripting holes I found 26.11.2007.

There are six XSS holes and they are persistent XSS (in some cases CSRF + XSS attacks can be used). Holes are at plugin options page (http://site/wp-admin/admin.php?page=wp-contact-form/
options-contactform.php) in parameters wpcf_email, wpcf_subject, wpcf_question, wpcf_answer, wpcf_success_msg, wpcf_error_msg. For attacking you need to make POST request to plugin options script.


For attacking admin only (at options page):

WP-ContactForm XSS.html

WP-ContactForm XSS2.html

WP-ContactForm XSS3.html

WP-ContactForm XSS4.html

For attacking every user of the site (at contact page):

WP-ContactForm CSRF5.html
WP-ContactForm XSS5.html

For attacking every user of the site at contact page (and admin at options page):

WP-ContactForm XSS6.html

WP-ContactForm XSS7.html

For attacking every user of the site (at contact page):

WP-ContactForm CSRF8.html
WP-ContactForm XSS8.html

WP-ContactForm CSRF9.html
WP-ContactForm XSS9.html

These exploits for educational purposes only. Don’t use these holes and exploits for malicious purposes.

You need to setup exploits to test them (set site’s URL and others data).

Moral: always make more secure captchas and without XSS holes.

Leave a Reply

You must be logged in to post a comment.