Headline

CVE-2022-25601: Contact Form X

Reflected Cross-Site Scripting (XSS) vulnerability affecting parameter &tab discovered in Contact Form X WordPress plugin (versions <= 2.4).

2 years ago

CVE

Open in Source

#sql #xss #vulnerability #web #google #js #git #java

Details
Reviews
Installation
Support
Development

Displays a user-friendly contact form that your visitors will love.

CFX: Contact form reinvented. Fast and friendly. Fresh and clean. Awesome for everyone 🙂

Overview

Install, activate, and then display the form anywhere, using the widget, shortcode, or template tag. Here is an overview of Contact Form X:

Easy to use
Simple and secure
Lightweight and super fast
Provides multiple form styles
Customize just about everything
Display the contact form anywhere
Change the order of the form fields
Send email to multiple recipients
Complete documentation via Help tab
Excellent free plugin support

“The famous spam filter SpamAssassin” scores CFX = zero spam!

For more details, check out the “Screenshots” section, below.

Form Fields

Easily choose which fields to display in the form. Each field may be set as required, optional, or disabled. Choose from these fields:

Name
Website
Email
Subject
Custom Field
Challenge Question
Message
Google reCaptcha (v2 or v3 Invisible)
Carbon Copy
Agree to Terms

You can change the order of these fields and customize their labels and placeholders, everything is super flexible.

For a live demo of Contact Form X, visit my contact page at Perishable Press. Note: the form at Perishable Press is highly customized with CSS, but all other functionality is the same. Feel free to send a test email to see how it works, I won’t mind 😉 Also check out CFX in the “Screenshots” section (below) for a better idea of how the default form is styled out of the box.

Privacy

To help protect user privacy, Contact Form X provides the following features:

Agree to terms checkbox, customizable
Choose which fields to include with the form
Option to disable collection of user IP address and other data
Note: this plugin uses cookies to enhance form functionality

Basically, this plugin enables visitors to send a message via contact form. Any information the user enters into the form will be sent directly to the recipient(s) according to plugin settings. When enabled in the plugin settings, details about each sent message will be stored in the WordPress database. Visit the “Advanced” plugin settings to control this and other data-collection features.

Note: This plugin provides an option to enable Google reCaptcha, which is provided by Google as a third-party service. For details on privacy and more, please refer to official documentation for Google reCaptcha.

CFX is developed and maintained by Jeff Starr, 10-year WordPress developer, security specialist, and book author.

Geeky Stuff

Lots of goodness for the geeks among us:

Built with the WordPress API
Ajax-powered form submission
Remembers form data on error
Google reCaptcha version 2
NEW: Google reCaptcha version 3 (invisible)
NEW: Drag/drop ordering of the form fields
View your email messages on the WP Dashboard
Option to enable/disable storing of email data in database
Display form via widget, shortcode, or template tag
Five CSS themes: Default, Classic, Micro, Synthetic, Dark
Optionally collect user data like IP, host, and referrer
Works perfectly with or without Gutenberg Block Editor
Focused on performance, security, and usability
Include extra form and user info with each message
Customize the form’s success and error messages
Provides plenty of useful hooks for developers
Targeted loading of CSS and JavaScript assets
One-click remove email data from database
One-click restore default options
Translation ready

Contact Form X is a fresh new, lighter alternative to the heavier contact forms out there. CFX is lightweight yet fully featured. As they say, “everything you want, nothing you don’t”.

Support development of this plugin

I develop and maintain this free plugin with love for the WordPress community. To show support, you can make a donation or purchase one of my books:

The Tao of WordPress
Digging into WordPress
.htaccess made easy
WordPress Themes In Depth
Wizard’s SQL Recipes for WordPress

And/or purchase one of my premium WordPress plugins:

BBQ Pro – Super fast WordPress firewall
Blackhole Pro – Automatically block bad bots
Banhammer Pro – Monitor traffic and ban the bad guys
GA Google Analytics Pro – Connect WordPress to Google Analytics
USP Pro – Unlimited front-end forms

Links, tweets and likes also appreciated. Thanks! 🙂

Installing the plugin

Upload the plugin to your blog and activate
Configure the plugin settings as desired
Display the form on any post or page via shortcode: [contactformx]

Visit the Help tab on the plugin settings page for complete documentation.

More info on installing WP plugins

Uninstalling

This plugin cleans up after itself. All plugin settings will be removed from your database when the plugin is uninstalled via the Plugins screen.

Note: uninstalling/deleting the plugin via the WP Plugins screen results in the removal of all settings and email data from the WP database.

Like the plugin?

If you like Contact Form X, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!

What about the styles?

The plugin provides five form styles (themes): Default, Classic, Micro, Synthetic, and Dark.

The first three themes (Default, Classic, Micro) employ minimal, mostly structural styles. One of the benefits of using the minimal styles is that they allow your WordPress theme to set the form’s appearance. And that’s good because it helps keep your pages looking visually consistent across your site.

The last two themes (Synthetic, Dark) go much further with the stylings. The Synthetic and Dark styles will override any/most CSS applied via your WordPress theme. So if the contact form looks weird or whatever when trying Default, Classic, or Micro, try either Synthetic or Dark should do the trick.

What about targeted loading of assets?

Sure. By default, Contact Form X loads its assets (CSS and JavaScript) on every front-end page. So if you display a contact form in your sidebar, it will work on all pages.

Some sites prefer to have a “Contact” page, and then just display the contact form in one location. In this scenario, it doesn’t make sense to include plugin assets on every front-end page. So CFX provides a setting called “Targeted Loading” (under the Advanced tab). There you can enter the URL of the page that displays the contact form. That way, the plugin will know to load assets only on that page. This is an excellent way to help keep things optimized for performance and so forth.

How to change the button color?

In the plugin settings, visit the “Appearance” tab. There you will see the first option, “Form Style”. That tells you which styles are used for the form. So to change the button color, scroll down to locate the styles that you are using (e.g., Default, Classic, Micro, et al). To change the color of the submit button, add the following line to whichever styles you are using:

#cfx .cfx-button { background: red !important; }

Change the red to whatever color you want. Can use hex values, rgba, or any valid CSS properties. Save changes and done.

Visit the Advanced tab and enable “Extra Email Info” option. Save changes and done.

How to defer or async loading of JavaScript?

The recommended way to defer or async load JavaScript is to use a trusted plugin, such as this one.

How to set maxlength on the Message textarea?

It is possible to set a maxlength attribute on the Message field, a textarea. To do so, add the following code via (child) theme or custom plugin:

function contactformx_textarea_maxlength($chars) { return 500; }
add_filter('contactformx_textarea_maxlength', 'contactformx_textarea_maxlength');

You can adjust the number of characters by changing 500 to any number.

How to display the form shortcode inside a widget?

Enable the Advanced option, “Widget Shortcodes”. Save changes and done.

How to change the language for Google reCaptcha?

By default, the Google reCaptcha field is displayed in English. To change that to some other language, first locate the two-digit abbreviation for your language here. Then add the following code to your theme (or child theme) functions.php, or add via simple custom plugin:

function contactformx_recaptcha_querystring($query) { return 'en'; }
add_filter('contactformx_recaptcha_querystring', 'contactformx_recaptcha_querystring');

Notice where it says en, that is the two-character language code you want to replace with your own. Then save changes and done.

How to remove or empty the old database table?

In CFX v1.9, sent emails optionally may be stored in the database as custom post types. Before CFX v1.9, email data was stored in its own/separate database table. So that means users who are upgrading from previous versions to 1.9 or better will have an unused email table in their database. It won’t hurt or affect anything, but you may want to empty or remove it to help save space.

Important: the following steps are for users of CFX v1.9+ who have upgraded from a previous version. Do NOT follow these steps if using CFX versions less than 1.9, OR if you never have used any version of CFX less than 1.9.

To empty the old/unused CFX database table:

Log in to WordPress as admin-level user
Create a new page and leave in Draft status
Add [contactformx_legacy_empty_table] to the page
Preview the page on the frontend
Click the link to Empty the CFX database table
After seeing the success message, delete the draft page and shortcode

To remove the old/unused CFX database table:

Log in to WordPress as admin-level user
Create a new page and leave in Draft status
Add [contactformx_legacy_drop_table] to the page
Preview the page on the frontend
Click the link to Empty the CFX database table
After seeing the success message, delete the draft page and shortcode

Using a temporary/draft page for the shortcode and then deleting it afterwards ensures that only YOU are making changes to the database. It is important to not display either of the above shortcodes publicly.

Got a question?

Send any questions or feedback via my contact form

Works great, feels fast and light.

This form plugin is way better than contact form 7. I have a feature request. Plz load the css and js only in the page where the shortcode is used. I know there is a manual option available for that. But not every people notices that and site speed becomes slower because of shitty recaptcha js file.

It just works, straight out of the box, and the emails go right to my inbox (not spam)! And it literally takes minutes to get it up and running! My old contact form stopped working (wasn’t developed anymore), and WPforms didn’t work (it only sent one test email to spam, then stopped working all together). Thank you so much Jeff!

Finally a good simple alternative. The only thing lacking is support for multiple forms and multilingual support

I was looking for a simple contact form, i found it. I like “Targeted Loading” option: the plugin assets are only loaded on one page, the page where the form is used. You need only to add the page link of the contact form. The plugin setup is very easy, and include all the options that should have a contact form. Thank you Jeff Starr for this plugin.

I love Contact Form X. It’s as simple as it gets, but it’s also possible to customise should you wish. If you’re having issues with form spam, this plugin will sort it. I’ve used it on multiple WP sites with great results. Thanks Jeff!

Read all 25 reviews

“Contact Form X” is open source software. The following people have contributed to this plugin.

Contributors