CVE-2021-41948

Vulnerability

The "contact us" plugin for Subrion CMS version 4.2.1 and earlier contains a stored cross-site scripting (XSS) vulnerability in the "List of subjects" configuration field [1]. An attacker with administrative access to the plugin settings can inject arbitrary JavaScript code that is subsequently rendered to visitors who view the contact form page. The vulnerability resides in the plugin's admin panel interface where subject list entries are not properly sanitized before storage and later output [1][2].

Exploitation

To exploit this vulnerability, an attacker must have administrative privileges on the Subrion CMS instance to access the contact us plugin settings [1]. The attacker then navigates to the plugin configuration and inserts malicious JavaScript payloads into the "List of subjects" field. Once saved, any website visitor loading the contact form will trigger the stored script in their browser because the subjects are rendered without proper encoding [1]. No additional user interaction beyond viewing the page is required.

Impact

Successful exploitation results in stored cross-site scripting (XSS) [1]. The attacker can execute arbitrary JavaScript in the context of any visitor's browser session on the affected site. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is amplified because the payload executes for all users visiting the contact page, not just administrators [1].

Mitigation

No official patch has been released for this vulnerability in the available references [1][2]. The repository for the plugin appears unmaintained [3]. Administrators should consider disabling or removing the contact us plugin if it is not essential, or restrict access to the plugin settings to only trusted users. Closely monitor the GitHub issue [1] for any future fix. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.