Contact Form Clean and Simple is vulnerable to Authenticated stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin’s options. This code will then be executed on every page with the contact form on the front-end.
Proof of concept
By checking the consent checkbox and then adding malicious code to the consent message box, users on the front-end are then subject to this code.
Video PoC: https://www.youtube.com/watch?v=mKg0TUqEhC8
Plugin name: Contact Form Clean and Simple Plugin
Plugin Author: Meg Nicholas
- Tuesday, 14th of january 2020: Vulnerability detected by Jeroen Mulder. Plugin’s author notified
- Tuesday, 21 of january 2020: Plugin author notified again after no response.
- Wednesday, 22 of january 2020: Vulnerability posted to wpvulndb.com and this website.