XSS in WP Contact Form III.

February 2nd, 2008  | Tags: , , , ,

The WP Contact Form III 1.4.1 WordPress plugin by ‘KristinKWangen’ is vulnerable to multiple cross site scripting attacks.

Note to developers, this does not stop script injection attacks:

From wp-contactform.php line 105:

$_POST['wpcf_your_name'] = stripslashes(trim($_POST['wpcf_your_name']));

Also note that this is not a very good way to die:

From buttonsnap.php line 28:

$selection = isset($_POST['selection']) ? $_POST['selection'] : @$_GET['selection'];
$selection = apply_filters($dispatch, $selection);
die($selection);
Share and Enjoy:
  • Facebook
  • HackerNews
  • Reddit
  • Digg
  • del.icio.us
  • Twitter
  • StumbleUpon
  • LinkedIn
  • Google Bookmarks
  • Slashdot
  • Technorati
  • email
  • DZone
  • Suggest to Techmeme via Twitter
  • RSS
  • PDF
  • Print
Leave a comment | Trackback
« »
  1. Kristin K. Wangen
    February 3rd, 2008 at 03:44
    Reply | Quote | #1

    Does the original Contact Form has the same issue? I’m just wondering as I’ve just added code and not edited any code.

    Do you know how fix this?

  2. Kristin K. Wangen
    February 3rd, 2008 at 03:50
    Reply | Quote | #2

    I just want to add that my plugin is based on one of the earlier versions of the original plugin, so it might have been fixed without me knowing it.

2 trackbacks/pingbacks

TOP