Too Much Escaping Backfires, Allows Shortcode-Based XSS Vulnerability in Contact Form Entries WordPress Plugin

On February 24th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for a stored Cross-Site Scripting (XSS) vulnerability in Contact Form Entries, a WordPress plugin with more than 60,000+ active installations. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

Props to Krzysztof Zając who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $132.00 for this discovery during our Bug Bounty Program Extravaganza.

Users of paid versions of Wordfence as well as those using the free version of the plugin are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.

Wordfence contacted the CRM Perks Team on February 29, 2024, and received a response on March 1, 2024. After providing full disclosure details, the developer released a patch on March 6, 2024. We would like to commend the CRM Perks Team for their prompt response and timely patch, which was released on the next day.

We urge users to update their sites with the latest patched version of Contact Form Entries, which is version 1.3.4 as of the date of this post, as soon as possible.

Source and more details:

Posted in Vulnerability.