The WP Contact Form III 1.4.1 WordPress plugin by ‘KristinKWangen’ is vulnerable to multiple cross site scripting attacks.

Note to developers, this does not stop script injection attacks:

From wp-contactform.php line 105:
$_POST['wpcf_your_name'] = stripslashes(trim($_POST['wpcf_your_name']));

Also note that this is not a very good way to die:

From buttonsnap.php line 28:
$selection = isset($_POST['selection']) ? $_POST['selection'] : @$_GET['selection'];
$selection = apply_filters($dispatch, $selection);
die($selection);

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Slashdot
  • StumbleUpon
  • Fark
  • Furl
  • Reddit
  • Technorati
  • Facebook
  • co.mments
  • De.lirio.us
  • Spurl
  • Live
  • Google
  • blogmarks
4 Responses to “XSS in WP Contact Form III.”
  1. Kristin K. Wangen says:

    Does the original Contact Form has the same issue? I’m just wondering as I’ve just added code and not edited any code.

    Do you know how fix this?

  2. Kristin K. Wangen says:

    I just want to add that my plugin is based on one of the earlier versions of the original plugin, so it might have been fixed without me knowing it.

  3. Følgefeil · Fru W. says:

    […] har blitt oppdaget en sikkerhetsfeil i WP Contact Form III, og jeg vil egentlig råde folk til å ikke bruke […]

  4. WP Contact Form III security update « The Nameless Blog says:

    […] Contact Form III security update There was discovered a XSS vulnerability in WP Contact Form III a couple of weeks ago, but the Swedish guy Fredrik Wärnsberg has been so […]

Leave a Reply