WordPress Contact Form To Email 1.3.24 Cross Site Scripting

WordPress Contact Form to Email plugin version 1.3.24 suffers from a persistent cross site scripting vulnerability.

MD5 | 9e28ce6804cc0140474721ef8ea6e4d2

# Exploit Title: WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)
# Date: 11/11/2021
# Exploit Author: Mohammed Aadhil Ashfaq
# Vendor Homepage: https://form2email.dwbooster.com/
# Version: 1.3.24
# Tested on: wordpress

1. Click Contact form to Email
2. Create new form name with <script>alert(1)</script>
3. Click Publish
4. XSS has been triggered
5. Open a different browser, logged in with wordpress. Copy the URL and
Press enter. XSS will trigger.

Related Posts