Wordpress plugin supsystic contact form1.7.18 label stored crosssite scripting (xss) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2021-10-28 | Type : webapps | Platform : php
This exploit / vulnerability Wordpress plugin supsystic contact form1.7.18 label stored crosssite scripting (xss) is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS)
# Date: 10/27/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://supsystic.com/
# Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/
# Version: 1.7.18
# Tested on : Windows 10

#Poc:

1. Install Latest WordPress

2. Install and activate plugin.

3. Open plugin, click "Add New Form" and select any form.

4. Click "Fields" tab and "Add New Field". Choose whatever you want.

5. Inject JavaScript payload which is mentioned below into 'label' field, save and alert will appear on the screen.

Payload : <img src=x onerror=alert(1)>

Wordpress plugin supsystic contact form1.7.18 label stored crosssite scripting (xss)


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Wordpress plugin supsystic contact form1.7.18 label stored crosssite scripting (xss) Vulnerability / Exploit