Contact Form Clean and Simple < 4.7.0 | Authenticated Stored XSS

Vulnerability

Contact Form Clean and Simple is vulnerable to Authenticated stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin’s options. This code will then be executed on every page with the contact form on the front-end. 

Proof of concept

By checking the consent checkbox and then adding malicious code to the consent message box, users on the front-end are then subject to this code.

Video PoC: https://www.youtube.com/watch?v=mKg0TUqEhC8

Plugin details

Plugin name: Contact Form Clean and Simple Plugin
URL: https://wordpress.org/plugins/clean-and-simple-contact-form-by-meg-nicholas/
Plugin Author: Meg Nicholas

Timeline

  • Tuesday, 14th of january 2020: Vulnerability detected by Jeroen Mulder. Plugin’s author notified
  • Tuesday, 21 of january 2020: Plugin author notified again after no response.
  • Wednesday, 22 of january 2020: Vulnerability posted to wpvulndb.com and this website.

Jeroen Mulder

Webdeveloper based in the Netherlands