Too Much Escaping Backfires, Allows Shortcode-Based XSS Vulnerability in Contact Form Entries WordPress Plugin
🎉 Did you know we’re running a Bug Bounty Extravaganza again?
Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!
On February 24th, 2024, during our second Bug Bounty Extravaganza, we received a submission for a stored Cross-Site Scripting (XSS) vulnerability in Contact Form Entries, a WordPress plugin with more than 60,000+ active installations. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.
Props to Krzysztof Zając who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $132.00 for this discovery during our Bug Bounty Program Extravaganza. Our mission is to Secure the Web, so we are proud to continue investing in vulnerability research like this and collaborating with researchers of this caliber through our Bug Bounty Program. This demonstrates that we are not only committed to investing in making the WordPress ecosystem more secure, but also the entire web.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.
We contacted the CRM Perks Team on February 29, 2024, and received a response on March 1, 2024. After providing full disclosure details, the developer released a patch on March 6, 2024. We would like to commend the CRM Perks Team for their prompt response and timely patch, which was released on the next day.
We urge users to update their sites with the latest patched version of Contact Form Entries, which is version 1.3.4, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Description: Database for Contact Form 7, WPforms, Elementor forms
Source: wordfence.com