02
Feb
2008
XSS in WP Contact Form III.
Posted by: Gerry Eisenhaur in Content, tags: 0day, advisory, exploit, wordpress, xssThe WP Contact Form III 1.4.1 WordPress plugin by ‘KristinKWangen’ is vulnerable to multiple cross site scripting attacks.
Note to developers, this does not stop script injection attacks:
From wp-contactform.php line 105:
$_POST['wpcf_your_name'] = stripslashes(trim($_POST['wpcf_your_name']));
Also note that this is not a very good way to die:
From buttonsnap.php line 28:
$selection = isset($_POST['selection']) ? $_POST['selection'] : @$_GET['selection'];
$selection = apply_filters($dispatch, $selection);
die($selection);
Entries (RSS)
February 3rd, 2008 at 3:44 am
Does the original Contact Form has the same issue? I’m just wondering as I’ve just added code and not edited any code.
Do you know how fix this?
February 3rd, 2008 at 3:50 am
I just want to add that my plugin is based on one of the earlier versions of the original plugin, so it might have been fixed without me knowing it.
February 3rd, 2008 at 4:02 pm
[…] har blitt oppdaget en sikkerhetsfeil i WP Contact Form III, og jeg vil egentlig råde folk til å ikke bruke […]
February 12th, 2008 at 4:11 pm
[…] Contact Form III security update There was discovered a XSS vulnerability in WP Contact Form III a couple of weeks ago, but the Swedish guy Fredrik Wärnsberg has been so […]