WP-ContactForm HTML Injection Vulnerability

Posted by DK
December 19, 2007

The popular WP-ContactForm plugin has been found vulnerable to HTML Injection.

This could allow an attacker to compromise your blog if you are authenticated to your blog while at the same time visiting a page with the embedded attack. Another popular attack is using phishing type e-mails.

BlogSec is not aware of any fixes as yet. We will update this post when more information is available to us.

Credit to Mustlive for discovering and publishing the vulnerability.

Check BlogSec’s double agent post

for HTML Injection mitigation ideas.

Advisories, WordPress

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Comment by MustLive on December 20, 2007 @ 5:58 pm

These are vulnerabilities in WP-ContactForm 2.0.7 (and previous 2.x versions). And recently I wrote (http://websecurity.com.ua/1641/) about XSS holes in WP-ContactForm 1.5 alpha (and previous 1.x versions) of the plugin.

So users of both original 1.x version and new 2.x version of the plugin are in risk. And they need to fix these holes.

Comment by DK on December 20, 2007 @ 7:38 pm

Mustlive, thanks for the heads up.

Comment by Michael on December 22, 2007 @ 6:47 pm

@mustlive… “And they need to fix these holes.”
Do you have any suggestions as to how I can fix these holes, or do I simply de-activate the plug-in?
More importantly: Is there a safe replacement plug-in?

Happy Christmas, etc.,
Michael

Leave a comment

(required)

(required)