Share
## https://sploitus.com/exploit?id=WPEX-ID:10392
High-privileged user (Editor+) can exploit XSS via Add New Form's form parameters:

- Button text
- Field Description

The stored script is executed for all the users visiting the website.

## Proof of Concept
1. Download and install "Constant Contact Forms for WordPress 1.8.7" from https://wordpress.org/plugins/constant-contact-forms/

2. Go into “Contact Form” tab from the sidebar and create a new form by clicking on the “Add New Form” button.

3. Input an XSS vector to "Button text", "Field Description" fields, for example:

" autofocus=true onfocus='alert(document.domain)'>

4. Save the changes and click on "Publish" (Editor role).
5. By visiting posts that have embedded shortcodes (Ex: `[ctct form="XXX"]`), the javaScript code injected would be executed.