Headline
CVE-2017-20054: Cross-Site Request Forgery & Cross-Site Scripting in Contact Form Manager WordPress Plugin
A vulnerability was found in XYZScripts Contact Form Manager Plugin. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to basic cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev
Full Disclosure mailing list archives
From: Summer of Pwnage <lists () securify nl>
Date: Wed, 1 Mar 2017 07:13:59 +0100
------------------------------------------------------------------------ Cross-Site Request Forgery & Cross-Site Scripting in Contact Form Manager WordPress Plugin
Edwin Molenaar, July 2016
Abstract
It was discovered that Contact Form Manager does not protect against Cross-Site Request Forgery. This allows an attacker to change arbitrary Contact Form Manager settings. In addtion, the plugin also fails to apply proper output encoding, rendering it vulnerable to stored Cross-Site Scripting.
OVE ID
OVE-20160718-0003
Tested versions
These issues were successfully tested on Contact Form Manager WordPress Plugin version
Fix
There is currently no fix available.
Details
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery___cross_site_scripting_in_contact_form_manager_wordpress_plugin.html
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Cross-Site Request Forgery & Cross-Site Scripting in Contact Form Manager WordPress Plugin Summer of Pwnage (Feb 28)