CVE-2022-50959

Vulnerability

Details The WordPress Contact Form Builder plugin version 1.6.1 is vulnerable to reflected cross-site scripting (XSS) in the code_generator.php file. The form_id parameter is not properly sanitized, allowing attackers to inject arbitrary JavaScript code [2]. This vulnerability is classified as CWE-79 and has a CVSS v3 score of 6.1.

Exploitation

Attack Surface Exploitation requires only that a victim visits a crafted URL containing a malicious payload in the form_id parameter, such as http://example.com/code_generator.php?form_id=<script>alert('xss')</script> [3]. No authentication is needed, making the attack vector network-based with low complexity. The attacker has no privileges, but user interaction (clicking the link) is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites, depending on the attacker's objective.

Mitigation

The plugin has been closed as of March 7, 2024, due to security issues and is no longer available for download [1]. Sites running Contact Form Builder 1.6.1 are exposed and should remove the plugin immediately as no patched version is available. No workaround is known.