Alist v2.1.0 and below was discovered to contain a cross-site scripting (XSS) vulnerability via /i/:data/ipa.plist.

**Alist Version / Alist 版本**

v2.0.10-v2.1.0

**Describe the bug / 问题描述****Vulnerability Introduction**

A route in Alist that uses user-inputted parameters when displaying xml files and does not filter them can cause xss.

Vulnerability affects version: v2.0.10-v2.1.0

**Vulnerability Analysis**

A new route was added in Alist v2.0.10: `/i/:data/ipa.plist`, which allows users to control the data parameter in path.

![image](https://user-images.githubusercontent.com/66706544/156100081-03cb9800-adcd-4b62-9fe9-df1633941333.png)

Simplified code:

func Plist(c \*gin.Context) {
	data := c.Param("data")
	data \= strings.ReplaceAll(data, "\_", "/")
	data \= strings.ReplaceAll(data, "-", "=")
	bytes, err := base64.StdEncoding.DecodeString(data)
	if err != nil {
		common.ErrorResp(c, err, 500)
		return
	}
	u := string(bytes)
 plist := fmt.Sprintf(\`<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
...
 <string>%s</string>
...
					<string>ci.nn.%s</string>
...
 <string>%s</string>
...
\`, u, name, name)
	c.Header("Content-Type", "application/xml;charset=utf-8")
	c.Status(200)
	\_, \_ \= c.Writer.WriteString(plist)

The incoming data is decoded by replacing (recovering the original base64 encoded url conflict characters), and then the parameter `u` is directly spliced and output to the page, so we can use this to construct the xss payload.

 <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>
 

The paylod is base64 encoded as follows:

 PGE6c2NyaXB0IHhtbG5zOmE9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPmFsZXJ0KDEpPC9hOnNjcmlwdD4=
 

Replace `=` with `-`, then splice in the path:

 http(https)://<host:port>/i/PGE6c2NyaXB0IHhtbG5zOmE9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPmFsZXJ0KDEpPC9hOnNjcmlwdD4-/ipa.plist
 

**Vulnerability Exploitation**

After a successful local exploit, try using the official demo site to test:

![image](https://user-images.githubusercontent.com/66706544/156100105-82fbd87f-e19b-4797-809d-05d6b47af9ba.png)

**Reproduction / 复现链接**

https://alist.xhofe.top/i/PGE6c2NyaXB0IHhtbG5zOmE9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPmFsZXJ0KDEpPC9hOnNjcmlwdD4-/ipa.plist

**日志 / Logs**

_No response_

CVE-2022-26533: Alist has Cross Site Scripting (XSS) vulnerability · Issue #645 · Xhofe/alist

A Cross Site Scripting (XSS) vulnerability exists in Nacos 2.0.3 in auth/users via the (1) pageSize and (2) pageNo parameters.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-44667: This is  XSS vulnerabilities · Issue #7359 · alibaba/nacos

The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks. Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions are affected.

The redirect URI in the LTI authorization endpoint required extra sanitizing to prevent reflected XSS and open redirect risks.

_Severity/Risk:_

**Minor**

_Versions affected:_

3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 and earlier unsupported versions

_Versions fixed:_

**3.11, 3.10.4, 3.9.7 and 3.8.9**

_Reported by:_

Jordan Tomkinson

_CVE identifier:_

CVE-2021-32478

_Changes (master):_

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70622

_Tracker issue:_

MDL-70622 Reflected XSS and open redirect in LTI authorization endpoint

CVE-2021-32478: Reflected XSS and open redirect in LTI authorization endpoint

Cross-Site Request Forgery (CSRF) vulnerability affecting Delete Marker Category, Delete Map, and Copy Map functions in WP Google Map plugin (versions <= 4.2.3).

* Details
* Reviews
* Installation
* Support
* Development

This google maps plugin allows you to create google maps shortcodes to display responsive google maps on pages, widgets and custom templates. Show custom markers on each google maps and display messages inside infowindow on marker click.

**Watch Video**

Google autosuggest enabled location form helps you to create unlimited markers and then assign markers to a google map. It’s super easy.

> Here is a quick highlight on the numerous customizable features offered by the free and pro versions of the **WP Google Map Pro Version**.

**Lite Version (Free)**

* Add unlimited locations with various information.
* Assign multiple locations to a single map.
* Display a info window message to any location.
* Map Marker Infowindow Open On: Mouse Click or Mouse Hover.
* Display map on posts/pages using shortcode.
* Decide center latitude and longitude for each map separtely.
* Easy way to assign category to any location.
* Select your marker icon for markers.
* Easily edit or delete map functionality.
* Assign your own markers to categories or choose colorful markers from +500 readymade markers provided by the Maps Icons Collection.
* Select among 4 map type : Roadmap,Satellite,Hybrid,Terrain
* Set your map height and width.
* Set Map zoom level.
* Map can be Draggable
* Display traffic real time conditions and overlays using Layers.
* Add bicycle path information to your maps using the Bicycling Layer.
* Enable Map Transit layer
* Marker Animation on Click or Mouse hover the marker.
* 45° imagery functionality
* Add circle in your Maps plugin
* Create a map just in seconds.
* Street view supported
* widget supportive : Display Google Maps on sidebars using widget.
* Pov Heading and Pov Pitch for street view.
* Fully Responsive.Display your map perfectly on all devices.
* Create 100% responsive maps effortlessly.Tested on real devices.
* A Cross Browser Compatible plugin. Fully tested on IE8, IE9, IE10 and all major browsers
* Multi-lingual Supported.
* Multisite Enabled and ability to activate it network wide.
* Map Stylization : Customizable Google maps style from https://snazzymaps.com.
* Search control on frontend map to search location easily.
* Filter markers by category.

**Features available in Pro version**

\[WP Google Map Pro\] (https://codecanyon.net/item/advanced-google-maps-plugin-for-wordpress/5211638) offers awesome features such as

* Marker Clustering : Enable marker clusters if you have too many locations.
* Map Layers : Display Traffic Layer , Bicycling Layer, Transit layer
* Import/Export Locations : Import Export Locations supported using CSV.Sample csv is attached in pro version.
* Draw shapes : rectangle, circle, polygon and polyline.
* Display unlimited shapes. Display Message on shape click or Redirect to external link.
* Direction & Route : Directions & Route Suggestion. Display directions results in KM and MILES.
* Listing : Display listing in grid or list style. Fully responsive.
* Sort listing by location, category and address alphabetically in location listing.
* Marker Category : Assign multiple categories to a location.
* Infowindow Contents: Customize infowindow contents with help of Placeholders.
* Display Posts Information, custom fields, taxonomies and featured images on infowindow message using placeholders.
* Unlimited number of map markers and locations.
* Set your own google map marker icon
* Drag and drop feature for markers, custom animation support
* Allows to display the user location on map.
* Nearby locations based on user’s current location.
* Display Posts/Pages or Custom Post Types on google maps using **custom fields**.
* Center the map based on visitor’s current location.
* Define overlays on Google maps via an easy to use interface.
* Integrate GEOJSON in to google maps.
* Display multiple Kml/Kmz Layer on the map.
* Fusion Table Layers.
* Add Geo location
* Add any number of Google maps on pages/posts/sidebars.
* Allows to insert the map as widget on sidebars.
* Add unlimited locations using an easy to use interface for Google Maps.
* Display location title, location category, location latitude, location longitude with location message in the infowindow.
* Create unlimited maps and display on posts/pages using shortcode or in sidebar using widget.
* Design your own Google map skins easily. Turn ON/OFF roads, places, water area.
* Ability to display infowindow on mouse click on mouse hover.
* Display your map perfectly on all devices. Create 100% responsive maps effortlessly.
* Multi-lingual Supported.
* Display physical maps based on terrain information.
* Display Google Earth satellite images on just one click.
* Display maps in a blend of normal and satellite views.
* Setup POV Heading and POV Pitch of Street View to customize Street View output of a location.
* Full support of controls of the Google map, such as zoom control, map type control, scale control, street view control, fullscreen and rotate control
* Drag and drop feature for markers, custom animation support
* Modify Locating Listing using Placeholder.
* Hooks Supported – Use actions & filters to modify map,markers,listing and associated html on fly.
* Display locations listing with filters & pagination. Fully customizable using backend settings and hooks.
* Use “wpgmp\_geo\_tags\_args”, “wpgmp\_geo\_featured\_image”, “wpgmp\_geotags\_placeholder”, “wpgmp\_geotags\_content” hooks to extend Posts on google maps functionality as you want.
* Use External Database or Sources to add markers on google maps using new filter wpgmp\_marker\_source.
* Load markers from external database or API sources with help of filters (Hooks).
* A Cross Browser Compatible plugin. Fully tested on IE8, IE9, IE10 and all major browsers
* Multisite Enabled and ability to activate it network wide.
* Visit our Pro Edition WP Google Map

**Live Examples**

* Google Maps Pro Plugin Live Demo

**Links**

Available on Codecanyon | 
Live Examples | 
Developed by flippercode

This section describes how to install the plugin and get it working.

 1. Upload the wp-google-map-plugin directory to the /wp-content/plugins/ folder
 
 2. Once the plugin is uploaded log into WordPress and go to Plugins
 
 3. Find the wp-google-map-pluginplugin and click Activate Plugin
 
 =How to work=
 
 1. Go to settings page of plugin and insert your google maps api key. see full instruction [How to create Api key](https://www.wpmapspro.com/docs/how-to-create-an-api-key/)
 
 2. First create your locations using 'Add Location' page.
 
 3. Then create your first map using 'Add Map' page and assign your locations.
 
 4. Each map is assoicated to a shortcode. You can view shortcode on 'Manage Maps' and copy and paste it on your pages or posts. You can display your google maps in the sidebar using widget.
 

**Can I create a custom marker ?**

Yes, you can upload your own marker image or you can choose from readymade icons.

**Do I need to calculate latitude & longitude myself ?**

No, Address field is google autosuggest enabled so you just start typing and choose your address. Latitude & Longitude will be calculated automatically.

**How many locations I can assign to the map?**

You can assign as many as location you want to display on google maps.

**How to display map on page?**

Go to ‘Manage Maps’ and copy the shortcode for your map. Each map will have own shortcode. You just paste that on your page.

**Can I display map using widget?**

Yes, First create your map and then you can display your map in sidebar from widget section.

**How to register google maps api key?**

Go to \[Google Maps API console\] 
(https://console.developers.google.com/flows/enableapi?apiid=maps\_backend,geocoding\_backend,directions\_backend,distance\_matrix\_backend,elevation\_backend,places\_backend&keyType=CLIENT\_SIDE&reusekey=true&pli=1) 
and you can create your google maps api key here.

We have a guide \[Important Changes in Google Maps\] 
(https://console.developers.google.com/flows/enableapi?apiid=maps\_backend,geocoding\_backend,directions\_backend,distance\_matrix\_backend,elevation\_backend,places\_backend&keyType=CLIENT\_SIDE&reusekey=true)

For troubleshooting releated to \[Google Maps Api Key\] 
(https://www.linkedin.com/pulse/important-changes-google-maps-api-v3-website-owners-sandeep-kumar)

**How to upgrade to pro version?**

You can purchase Google Maps Pro Version and then just keep your lite version deactivated and then activate the pro version. You’ll not loss any of your data. Your all data will be migrated to pro version automatically.

**Do we have Live Demo?**

Yes, You can click on Google Maps Pro Live Demo and mail us at hello at flippercode dot com if any pre-purchase query.

**Do we have a Documentation?**

Yes, You can click on WP Google Map Pro Guide and you will get all documentation with proper steps and video tutorials.

**Do we have offer refund?**

Yes, You can get refund any time if pro version is not suitable for you.

**Do we have offer customization?**

Yes, You can mail us your requirement at hello at flippercode dot com.

![](https://secure.gravatar.com/avatar/15dffc16f6b853074f071d2c1e84e51e?s=60&d=retro&r=g)

The support team was very fast and fixed my problem - even with just the free Plan Also very good Plugin and easy to use!

![](https://secure.gravatar.com/avatar/ed670c5e939abc7bd9908eafc762cac1?s=60&d=retro&r=g)

HI, Special thanks to Sandeep Kumar (Founder, Flipper Code Private Limited) really very help full He sorted plugin conflict on my site in very short time. I am very happy with plugin support.

![](https://secure.gravatar.com/avatar/50692cafc999b1a4030c0caff9b4baef?s=60&d=retro&r=g)

![](https://secure.gravatar.com/avatar/d1e1ba9d2e108d18d75214ce8742565e?s=60&d=retro&r=g)

![](https://secure.gravatar.com/avatar/5e28959a11610330b6212840b69a0d48?s=60&d=retro&r=g)

Matthew Lau responded with answers to my support questions quickly and was very friendly, clear and concise. Thank you Matthew! ~Betty

![](https://secure.gravatar.com/avatar/55ee27456d4f565f186e7a36f736e1b5?s=60&d=retro&r=g)

Flippercode helped me implement what I was looking for. Their plugin customization was extremely affordable and their responses were super fast! The plugin itself is extremely user friendly too. We will definitely be purchasing from them again for our other sites!

Read all 107 reviews

“WP Google Map Plugin” is open source software. The following people have contributed to this plugin.

Contributors

* ![](https://secure.gravatar.com/avatar/133bb52f2a720d6c050d3dc151ed47ad?s=32&d=mm&r=g) Flipper Code

**4.2.5**

* Fix : Infowindow HTML tags were stripping while updating the map.

**4.2.4**

* Fix : Confirmation popup added on bulk delete action for category,location and map.
* Fix : Security issue fixed for delete and copy map operation.

**4.2.3**

* Fix : ‘Select Category’ text displayed in marker category filter dropdown is now translatable.
* Fix : Fixed a logical validation issue on Add location form in back-end.

**4.2.2**

* Fix : UI issues of map controls caused by currently activated theme fixed.

**4.2.1**

* Fix : Warnings removed from frontend when map is deleted from backend.

**4.2.0**

* New : Confirmation boxes added before deleting locations / marker categories / maps.
* New : Addons introduction page updated.

**4.1.9**

* Fix : One warning and one notice fixed on add map page, code optimised.

**4.1.8**

* New : Dismissable notice to buy premium version plugin added.

**4.1.7**

* New : Better UI interface for backend forms.

**4.1.6**

* Fix: Calling files remotely fixed. Removed shorthand URLs. Text domain corrected. WordPress tested upto version number updated. Data sanitisation & escaping work done. Unused code removed. Design issue fixed on manage location and manage maps page. New filter added.

**4.1.5**

* Fix: SQL vulnerability issue fixed.

**4.1.4**

* Fix: SQL security issue fixed.

**4.1.3**

* New: New hooks added before and after map rendering.
* New: Extentions related information provided.

**4.1.2**

* Fix: Missing translation files added.

**4.1.1**

* New: Search control on map for easy location searching.
* New: Filter markers by category.

**4.1.0**

* Fix: Removed reported vulnerability. Updated code in data save modules and applied more security.
* New: Display google maps in different beautiful skins. Snazzy maps support integrated.

**4.0.9**

* Fix: Removed PHP Warnings and coding standard updated.

**4.0.8**

* Fix: Broken link fixed.

**4.0.7**

* Fix: Optimized CSS and removed unused CSS, Files and Code.

**4.0.6**

* Fix: Optimized CSS and removed unused CSS, Files and Code.

**4.0.3**

* Fix: Removed unused file.

**4.0.2**

* Fix: call\_user\_func\_array is resolved.

**4.0.1**

* Fix: Blank Page on Add Map is fixed.

**4.0.0**

* Improvement: New UI for Backend Pages and Forms.
* New: Ability to customize info window message using placeholder.
* New: Ability to show info window on click or mouseover.
* New: Set default marker icon for the map.

**3.2.0**

* Security Fix: Security vulnerablity is resolved.

**3.1.6**

* Improvement Fix: How to use plugin instruction added.

**3.1.5**

* Improvement Fix: CSS fixed for wordpress 4.6.

**3.1.4**

* Improvement Fix: Missing google maps api key notification added on location page.

**3.1.3**

* Fix: Indexed Warning is resolved in class.initial-core.php.

**3.1.2**

* Fix: XSS Vulnerability is resolved.

**3.1.1**

* Fix – Access level to WP\_List\_Table\_Helper::pagination() must be public.

**3.1.0**

* New – resize\_map() function is added to correct the grey map in tabs issue.
* Improvement – Remove directory reading functions.

**3.0.9**

* Multi-site bug resolved.

**3.0.5**

* Lang slug changed to wp-google-map-plugin as per wordpress.org requested.

**3.0.4**

* links in the info window is broken due to missing stripslashes function – resolved.

**3.0.3**

* wpgmp\_admin\_overview capability added to read how to use instructions.

**3.0.2**

* echo $before\_widget and $after\_widget added for correct widget output.

**3.0.1**

* Category icon broken issue resolved.
* Markers are not displaying on the map, issue resolved.
* Infowindow Message is not showing on marker click, issue resolved.

**3.0.0**

* Sanitize all inputs and outputs.
* New file & folder structure.
* Object oriented based coding according to wordpress standard coding rules.
* Clean bootstrap based design.
* Ability to show any number of google maps on a single map.
* Decide center latitude and longitude for each map.
* POV Heading and Pov Pitch for street view.
* Sub categories supported.
* Redirect to URL on marker click.
* City, State, Country and Postal code new fields in location form.
* Apply marker animation.
* Position google maps controls e.g Pan,Zoom,May Type with easy to use interface.

**2.3.10**

* CSRF Protection added on add/edit location.
* CSRF Protection added on add/edit map.
* CSRF Protection added on add/edit category.

**2.3.9**

* Display more than 10 locations on Manage Locations using Screen Options.
* Display more than 10 maps on Manage Categories using Screen Options.
* Display more than 10 categories on Manage Maps using Screen Options.
* SSL Supported.

**2.3.8**

* locations, maps and category was not showing on manage pages in wordpress 4.2 resolved.

**2.3.7**

* Improvement Fix: Fixed add\_query\_arg() and remove\_query\_arg() usage to avoid XSS Vulnerability.

**2.2.0**

* Twitter Bootstrap 3 Based.
* Solved Featured Image Problem.

**2.1.0**

* Infowindow CSS Improved.
* Optimized Code for Fast Map Experience.
* Solved Layer Display Problem.

**1.2.0**

* Zero Configuration Enabled.
* Managed Navigation.
* Custom Icon using Widget.

**1.1.0**

* Solved zoom toolbar bug.
* Solved white lines on the map.
* Added Widget Support.
* Added multiple maps on a page support.

CVE-2022-25600: WP Google Map Plugin

Reflected Cross-Site Scripting (XSS) vulnerability affecting parameter &tab discovered in Contact Form X WordPress plugin (versions <= 2.4).

* Details
* Reviews
* Installation
* Support
* Development

> Displays a user-friendly contact form that your visitors will love.

CFX: Contact form reinvented. Fast and friendly. Fresh and clean. Awesome for everyone 🙂

**Overview**

Install, activate, and then display the form anywhere, using the widget, shortcode, or template tag. Here is an overview of Contact Form X:

* Easy to use
* Simple and secure
* Lightweight and super fast
* Provides multiple form styles
* Customize just about everything
* Display the contact form anywhere
* Change the order of the form fields
* Send email to multiple recipients
* Complete documentation via Help tab
* Excellent free plugin support

> “The famous spam filter SpamAssassin” scores CFX = zero spam!

For more details, check out the “Screenshots” section, below.

**Form Fields**

Easily choose which fields to display in the form. Each field may be set as required, optional, or disabled. Choose from these fields:

* Name
* Website
* Email
* Subject
* Custom Field
* Challenge Question
* Message
* Google reCaptcha (v2 or v3 Invisible)
* Carbon Copy
* Agree to Terms

You can change the order of these fields and customize their labels and placeholders, everything is super flexible.

**For a live demo** of Contact Form X, visit my contact page at Perishable Press. Note: the form at Perishable Press is highly customized with CSS, but all other functionality is the same. Feel free to send a test email to see how it works, I won’t mind 😉 Also check out CFX in the “Screenshots” section (below) for a better idea of how the default form is styled out of the box.

**Privacy**

To help protect user privacy, Contact Form X provides the following features:

* Agree to terms checkbox, customizable
* Choose which fields to include with the form
* Option to disable collection of user IP address and other data
* Note: this plugin uses cookies to enhance form functionality

Basically, this plugin enables visitors to send a message via contact form. Any information the user enters into the form will be sent directly to the recipient(s) according to plugin settings. When enabled in the plugin settings, details about each sent message will be stored in the WordPress database. Visit the “Advanced” plugin settings to control this and other data-collection features.

**Note:** This plugin provides an option to enable Google reCaptcha, which is provided by Google as a third-party service. For details on privacy and more, please refer to official documentation for Google reCaptcha.

CFX is developed and maintained by Jeff Starr, 10-year WordPress developer, security specialist, and book author.

**Geeky Stuff**

Lots of goodness for the geeks among us:

* Built with the WordPress API
* Ajax-powered form submission
* Remembers form data on error
* Google reCaptcha version 2
* NEW: Google reCaptcha version 3 (invisible)
* NEW: Drag/drop ordering of the form fields
* View your email messages on the WP Dashboard
* Option to enable/disable storing of email data in database
* Display form via widget, shortcode, or template tag
* Five CSS themes: Default, Classic, Micro, Synthetic, Dark
* Optionally collect user data like IP, host, and referrer
* Works perfectly with or without Gutenberg Block Editor
* Focused on performance, security, and usability
* Include extra form and user info with each message
* Customize the form’s success and error messages
* Provides plenty of useful hooks for developers
* Targeted loading of CSS and JavaScript assets
* One-click remove email data from database
* One-click restore default options
* Translation ready

Contact Form X is a fresh new, lighter alternative to the heavier contact forms out there. CFX is lightweight yet fully featured. As they say, “everything you want, nothing you don’t”.

**Support development of this plugin**

I develop and maintain this free plugin with love for the WordPress community. To show support, you can make a donation or purchase one of my books:

* The Tao of WordPress
* Digging into WordPress
* .htaccess made easy
* WordPress Themes In Depth
* Wizard’s SQL Recipes for WordPress

And/or purchase one of my premium WordPress plugins:

* BBQ Pro – Super fast WordPress firewall
* Blackhole Pro – Automatically block bad bots
* Banhammer Pro – Monitor traffic and ban the bad guys
* GA Google Analytics Pro – Connect WordPress to Google Analytics
* USP Pro – Unlimited front-end forms

Links, tweets and likes also appreciated. Thanks! 🙂

**Installing the plugin**

1. Upload the plugin to your blog and activate
2. Configure the plugin settings as desired
3. Display the form on any post or page via shortcode: `[contactformx]`

Visit the Help tab on the plugin settings page for complete documentation.

More info on installing WP plugins

**Uninstalling**

This plugin cleans up after itself. All plugin settings will be removed from your database when the plugin is uninstalled via the Plugins screen.

Note: uninstalling/deleting the plugin via the WP Plugins screen results in the removal of all settings and email data from the WP database.

**Like the plugin?**

If you like Contact Form X, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!

**What about the styles?**

The plugin provides five form styles (themes): Default, Classic, Micro, Synthetic, and Dark.

The first three themes (Default, Classic, Micro) employ minimal, mostly structural styles. One of the benefits of using the minimal styles is that they allow your WordPress theme to set the form’s appearance. And that’s good because it helps keep your pages looking visually consistent across your site.

The last two themes (Synthetic, Dark) go much further with the stylings. The Synthetic and Dark styles will override any/most CSS applied via your WordPress theme. So if the contact form looks weird or whatever when trying Default, Classic, or Micro, try either Synthetic or Dark should do the trick.

**What about targeted loading of assets?**

Sure. By default, Contact Form X loads its assets (CSS and JavaScript) on every front-end page. So if you display a contact form in your sidebar, it will work on all pages.

Some sites prefer to have a “Contact” page, and then just display the contact form in one location. In this scenario, it doesn’t make sense to include plugin assets on every front-end page. So CFX provides a setting called “Targeted Loading” (under the Advanced tab). There you can enter the URL of the page that displays the contact form. That way, the plugin will know to load assets only on that page. This is an excellent way to help keep things optimized for performance and so forth.

**How to change the button color?**

In the plugin settings, visit the “Appearance” tab. There you will see the first option, “Form Style”. That tells you which styles are used for the form. So to change the button color, scroll down to locate the styles that you are using (e.g., Default, Classic, Micro, et al). To change the color of the submit button, add the following line to whichever styles you are using:

 #cfx .cfx-button { background: red !important; }
 

Change the `red` to whatever color you want. Can use hex values, rgba, or any valid CSS properties. Save changes and done.

Visit the Advanced tab and enable “Extra Email Info” option. Save changes and done.

**How to defer or async loading of JavaScript?**

The recommended way to defer or async load JavaScript is to use a trusted plugin, such as this one.

**How to set maxlength on the Message textarea?**

It is possible to set a `maxlength` attribute on the Message field, a textarea. To do so, add the following code via (child) theme or custom plugin:

 function contactformx_textarea_maxlength($chars) { return 500; }
 add_filter('contactformx_textarea_maxlength', 'contactformx_textarea_maxlength');
 

You can adjust the number of characters by changing `500` to any number.

**How to display the form shortcode inside a widget?**

Enable the Advanced option, “Widget Shortcodes”. Save changes and done.

**How to change the language for Google reCaptcha?**

By default, the Google reCaptcha field is displayed in English. To change that to some other language, first locate the two-digit abbreviation for your language here. Then add the following code to your theme (or child theme) functions.php, or add via simple custom plugin:

 function contactformx_recaptcha_querystring($query) { return 'en'; }
 add_filter('contactformx_recaptcha_querystring', 'contactformx_recaptcha_querystring');
 

Notice where it says `en`, that is the two-character language code you want to replace with your own. Then save changes and done.

**How to remove or empty the old database table?**

In CFX v1.9, sent emails optionally may be stored in the database as custom post types. Before CFX v1.9, email data was stored in its own/separate database table. So that means users who are upgrading from previous versions to 1.9 or better will have an unused email table in their database. It won’t hurt or affect anything, but you may want to empty or remove it to help save space.

**Important:** the following steps are for users of CFX v1.9+ who have upgraded from a previous version. Do NOT follow these steps if using CFX versions less than 1.9, OR if you never have used any version of CFX less than 1.9.

To **empty** the old/unused CFX database table:

1. Log in to WordPress as admin-level user
2. Create a new page and leave in Draft status
3. Add `[contactformx_legacy_empty_table]` to the page
4. Preview the page on the frontend
5. Click the link to Empty the CFX database table
6. After seeing the success message, delete the draft page and shortcode

To **remove** the old/unused CFX database table:

1. Log in to WordPress as admin-level user
2. Create a new page and leave in Draft status
3. Add `[contactformx_legacy_drop_table]` to the page
4. Preview the page on the frontend
5. Click the link to Empty the CFX database table
6. After seeing the success message, delete the draft page and shortcode

Using a temporary/draft page for the shortcode and then deleting it afterwards ensures that only YOU are making changes to the database. It is important to not display either of the above shortcodes publicly.

**Got a question?**

Send any questions or feedback via my contact form

![](https://secure.gravatar.com/avatar/d9adcb47896a57300a6ccbccd98014a9?s=60&d=retro&r=g)

Works great, feels fast and light.

![](https://secure.gravatar.com/avatar/5081c74020de48e16ee5c9385ef0a0f1?s=60&d=retro&r=g)

This form plugin is way better than contact form 7. I have a feature request. Plz load the css and js only in the page where the shortcode is used. I know there is a manual option available for that. But not every people notices that and site speed becomes slower because of shitty recaptcha js file.

![](https://secure.gravatar.com/avatar/b2246b9e0e00566cde0261e1d007a926?s=60&d=retro&r=g)

It just works, straight out of the box, and the emails go right to my inbox (not spam)! And it literally takes minutes to get it up and running! My old contact form stopped working (wasn’t developed anymore), and WPforms didn’t work (it only sent one test email to spam, then stopped working all together). Thank you so much Jeff!

![](https://secure.gravatar.com/avatar/6fff7999331de37636be6ae7f2db4a8a?s=60&d=retro&r=g)

Finally a good simple alternative. The only thing lacking is support for multiple forms and multilingual support

![](https://secure.gravatar.com/avatar/3996e7ae9113c8be2f0b278ba1505e41?s=60&d=retro&r=g)

I was looking for a simple contact form, i found it. I like "Targeted Loading" option: the plugin assets are only loaded on one page, the page where the form is used. You need only to add the page link of the contact form. The plugin setup is very easy, and include all the options that should have a contact form. Thank you Jeff Starr for this plugin.

![](https://secure.gravatar.com/avatar/7af69b1c06a459aae1ec040d99914e74?s=60&d=retro&r=g)

I love Contact Form X. It's as simple as it gets, but it's also possible to customise should you wish. If you're having issues with form spam, this plugin will sort it. I've used it on multiple WP sites with great results. Thanks Jeff!

Read all 25 reviews

“Contact Form X” is open source software. The following people have contributed to this plugin.

Contributors

* ![](https://secure.gravatar.com/avatar/f5b7d448eb7f9dd12b2f652be3ea5de5?s=32&d=mm&r=g) Jeff Starr

If you like CFX, please take a moment to give a 5-star rating. It is super appreciated and really helps to keep plugin development going strong.

**2.4.1 (2022/02/24)**

* Improves security on plugin settings page (Thanks Vlad Ex.Mi)
* Generates new default translation template
* Tests on WordPress 5.9

**2.4 (2022/01/08)**

* Improves loading of translations
* Improves performance of plugin settings
* Updates some links to external resources
* Changes minimum required WP version to 4.6
* Tests on WordPress 5.9

**2.3 (2021/07/12)**

* Adds filter hook `contactformx_send_carbon_message`
* Adds `.cfx-noscript-wrap` to `<noscript>`
* Improves CSS for Dashboard widget
* Improves CSS for success message
* Improves CSS for plugin settings
* Tests on WordPress 5.8

**2.2.1 (2021/02/12)**

* Fixes bug with Email Recipient settings (Thanks @mbrsolution)
* Tests on WordPress 5.7

**2.2 (2021/02/08)**

* Fixes `call_user_func()` expects parameter 1 to be valid callback
* Adds filter hook `contactformx_recaptcha_querystring`
* Tests on WordPress 5.7

**2.1 (2020/11/08)**

* Adds drag/drop ordering of form fields 🙂
* Adds option to enable display of shortcodes in widgets
* Adds option to display dashboard widget when user can `edit_post`
* Adds filter hook `contactformx_textarea_maxlength`
* Updates plugin script to account for changes in jQuery UI
* Simplifies enqueue logic for plugin settings page
* Improves form HTML and CSS for better validation
* Replaces `linear-gradient(top` with `linear-gradient(to bottom`
* Updates Help tab information
* Updates default translation template
* Improves display of settings page
* Generates new default translation template
* Tests on PHP 7.4 and 8.0
* Tests on WordPress 5.6

**2.0 (2020/07/31)**

* Changes default “From” address to “wordpress@yourdomain.com”
* Adds options to display success message without the reset button
* Fixes bug with fields not forgetting submitted values
* Fine tunes the CFX dashboard widget
* Updates contextual Help tab information
* Generates new default translation template
* Refines readme/documentation
* Tests on WordPress 5.5

**1.9.2 (2020/06/08)**

* Sets `exclude_from_search` to `true`
* Tests on WordPress 5.4

**1.9.1 (2020/03/11)**

* Fixes bug where dates not showing on dashboard widget
* Tests on WordPress 5.4

**1.9 (2020/03/08)**

* Adds option to disable storing email info in database
* Replaces custom database table with custom post types
* Adds Google reCaptcha v3 (hidden reCaptcha)
* Updates Google reCaptcha version 2 library
* Improves “Email Message Extra” option name and description
* Improves sanitization of post data
* Improves security of form cookies
* Improves display of dashboard widget
* Improves default button styles
* Improves noscript display styles
* Adds legacy functions for database
* Fixes PHP warning for `contactformx_enqueue_resources_admin()`
* Fixes incorrect URL for email icon
* Updates infos in the plugin Help tab
* Generates new default translation template
* Tests on WordPress 5.4

**1.8 (2019/10/24)**

* Updates styles for plugin settings page
* Improves logic of `contactformx_maybe_enqueue()`
* Generates new default translation template
* Tests on WordPress 5.3

**1.7 (2019/09/02)**

* Fixes bug with non-admin users
* Fixes bug with default subject line
* Fixes bug with carbon copy reply-to address
* Adds support for autofill values on input fields
* Tweaks function `contactformx_enable_data()`
* Improves targeted enqueue scripts functionality
* Renames `contactformx_send_headers` to `contactformx_mail_headers`
* Generates new default translation template
* Fine-tunes display of plugin page
* Updates some links to https
* Tests on WordPress 5.3 (alpha)

**1.6 (2019/04/28)**

* Bumps minimum PHP version to 5.6.20
* Updates default translation template
* Tests on WordPress 5.2

**1.5 (2019/03/04)**

* Bumps minimum PHP version to 5.3
* Removes support for deprecated reCaptcha
* Adds responsive styles for mobile browsers
* Changes input type to email for email field
* Simplifies “Additional Information” display
* Bugfix: label and placeholder in reverse order
* Tweaks plugin settings screen UI
* Generates new default translation template
* Tests on WordPress 5.2 (alpha)

**1.4 (2019/02/02)**

* Just a version bump for compat with WP 5.1
* Full update coming soon 🙂

**1.3 (2018/11/12)**

* Adds homepage link to Plugins screen
* Adds option to display “powered by CFX”
* Improves display of CFX dashboard widget
* Improves logic of `contactformx_print_js_vars_admin`
* Improves logic of `contactformx_maybe_enqueue`
* Updates default translation template
* Tests on WordPress 5.0 (beta)

**1.2 (2018/08/13)**

* Tweaks styles on plugin settings page
* Replaces `wp_kses_post` with `wp_strip_all_tags` for style settings
* Adds `rel="noopener noreferrer"` to all blank-target links
* Updates donate link
* Updates GDPR blurb
* Adds option to customize invalid-email error message
* Improves CSS for all form styles
* Improves CSS for Dashboard widget
* Adds “Rate Plugin” link to Advanced tab
* Updates value of `CONTACTFORMX_HOME` constant
* Regenerates default translation template
* Further tests on WP versions 4.9 and 5.0 (alpha)

**1.1 (2018/06/07)**

* Changes required to host plugin at WordPress.org

**1.0 (2018/06/05)**

* Initial release

CVE-2022-25601: Contact Form X

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.12.

@@ -11,6 +11,9 @@

  

namespace MicroweberPackages\\Tax;

  

use Illuminate\\Support\\Facades\\Validator;

use MicroweberPackages\\Helper\\HTMLClean;

  

class TaxManager

{

/\*\* @var \\MicroweberPackages\\App\\LaravelApplication \*/

@@ -50,6 +53,18 @@ public function save($params = array())

$params\['rate'\] = floatval($params\['rate'\]);

}

  

$rules = \[\];

$rules\['name'\] = 'required|max:500';

$rules\['type'\] = 'required|max:500';

$rules\['rate'\] = 'required|max:500';

  

$validator = Validator::make($params, $rules);

  

if ($validator\->fails()) {

$errors = $validator\->messages()->toArray();

return \['valid'\=>false,'errors'\=>$errors\];

}

  

$taxType = TaxType::where('id', $params\['id'\])->first();

if (!$taxType) {

$taxType = new TaxType();

CVE-2022-0928: upgrade taxes to laravel routers · microweber/microweber@fc9137c

Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.

**Content & configuration**

Swagger-UI configuration options:

SwaggerUI({
  enableQueryConfig: false // new
})

**Is your feature request related to a problem?**

We’ve observed that the ?url= parameter in SwaggerUI allows an attacker to override an otherwise hard-coded schema file. This opens the door to issues such as #3847 and #4789 which would otherwise be prevented by hard-coding the schema file URL.

The behavior appears to be a regression in the 3.x releases. It can easily be reproduced by passing in a URL to the SwaggerUIBundle constructor and then using the ?url parameter to override it, while observing the behavior in the Net panel of your browser’s developer tools. Note that CORS rules can prevent a test from succeeding, but do not prevent a real attack.

    const ui = SwaggerUIBundle({
      ...
      url: 'some-hard-coded-path.yml'
    });
    

Additionally, the URL parameter is dangerous in general because it allows an attacker to provide a similar schema file that instead sends authorization requests to a server under an attacker’s control, which makes it much easier to trick a user into leaking their login credentials. So the URL parameter should not be allowed in any setting where authentication or other sensitive information is used. I’d recommend disabling it by default and cautioning users against enabling it.

**Describe the solution you'd like**

for 3.x: Add an enableQueryParam or similar option. If omitted, default to false if a URL is passed into the constructor, otherwise default true.  
for 4.x: Change the default when omitted to false.

**Describe alternatives you've considered**

Our workaround was to detect the URL parameter before initializing SwaggerUI and failing early if it was set.

**Additional context**

This is taken from a security report given to the Swagger team by Ken Winters, based on investigation done by Gaurav Shet and Ben Zulanch - all over at NetApp.

The decision was made to put this in the public issue tracker because (a) we aren't going to immediately fix this, and (b) the attack surface for this is significantly diminished by our effective sanitization efforts to deter XSS attacks in documents used as input.

CVE-2018-25031: add an `enableQueryConfig` option · Issue #4872 · swagger-api/swagger-ui

lib/Horde/Mime/Viewer/Ooo.php in Horde Mime_Viewer before 2.2.4 allows XSS via an OpenOffice document, leading to account takeover in Horde Groupware Webmail Edition. This occurs after XSLT rendering.

@@ -98,7 +98,10 @@ protected function \_render()

} elseif ($file\['name'\] == 'content.xml') {

return array(

$this\->\_mimepart\->getMimeId() => array(

'data' => str\_replace(array\_keys($tags), array\_values($tags), $content),

'data' => Horde\_Text\_Filter::filter(

str\_replace(array\_keys($tags), array\_values($tags), $content),

'xss'

),

'status' => array(),

'type' => 'text/html; charset=UTF-8'

)

Tag

#xss