Easy Contact Form Lite < 1.1.29 - Contributor+ Stored XSS

An attacker with Contributor-level privileges (or higher) can inject malicious JavaScript into a plugin setting that is later rendered without proper escaping. When an administrator or other user views the affected settings page, the stored script executes in their browser session, leading to Stored Cross-Site Scripting (XSS) [CWE-79] [ref_id=1]. The attack requires only the ability to edit plugin settings, which is available to Contributor roles in WordPress.

The plugin's settings page does not sanitize or escape user-supplied input before storing or rendering it. The advisory does not specify exact file or function names, but the vulnerability resides in the settings-handling code of the Contact Form Lite plugin (contact-form-lite) prior to version 1.1.29 [ref_id=1].

The advisory states the fix is included in version 1.1.29 of the Contact Form Lite plugin [ref_id=1]. No patch diff is provided in the bundle, but the remediation involves properly sanitizing and escaping the plugin's settings before output to prevent stored XSS. Users should update to version 1.1.29 or later.

The advisory links to a proof of concept at https://wpscan.com/vulnerability/e1e7f423-f981-413c-a99a-e5927fc1cd0c/ but does not include the reproduction steps in the extracted text [ref_id=1].