Add-on SweetAlert Contact Form 7 < 1.0.8 - Authenticated Stored Cross-Site Scripting (XSS)

Stored XSS "post-auth" in "tittle" field of the "Error Alert" and "Success Alert" sections of the plugin's settings page due to poor sanitization of entered characters.

When you enter the payload and save the changes, it is permanently embedded in the html code of the settings page, so all users who visit the plugin's settings can suffer the attack.

Edit (WPScanTeam):
May 13th, 2020 - Confirmed & Escalated to WP Plugin Team
May 21st, 2020 - v1.0.8 released, fixing the issu
Proof of Concept
Enter the following payload in the Title field of the Error Alert or Success Alert section in the plugin's settings: "onfocus=alert(/XSS/) autofocus="autofocus

Affects Plugin

fixed in version 1.0.8


Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)


Original Researcher Juan M.
Submitter Mike_JMSec
Submitter Website
Views 1349
Verified Yes
WPVDB ID 10233


Publicly Published 2020-05-25 (about 2 months ago)
Added 2020-05-25 (about 2 months ago)
Last Updated 2020-05-25 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin