02
Feb
2008
XSS in WP Contact Form III.
Posted by: Gerry Eisenhaur in Content, tags: 0day, advisory, exploit, wordpress, xssThe WP Contact Form III 1.4.1 WordPress plugin by ‘KristinKWangen’ is vulnerable to multiple cross site scripting attacks.
Note to developers, this does not stop script injection attacks:
From wp-contactform.php line 105:
$_POST['wpcf_your_name'] = stripslashes(trim($_POST['wpcf_your_name']));
Also note that this is not a very good way to die:
From buttonsnap.php line 28:
$selection = isset($_POST['selection']) ? $_POST['selection'] : @$_GET['selection'];
$selection = apply_filters($dispatch, $selection);
die($selection);
Entries (RSS)