Ultra Addons for Contact Form 7 Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Ultra Addons for Contact Form 7 WordPress plugin, specifically in versions 3.5.11 to 3.5.19. This vulnerability arises from inadequate input sanitization and output escaping in the Database module. Unfiltered field names are saved alongside sanitized values. The admin-side AJAX endpoint 'ajax_get_table_data()' later retrieves these raw names as JSON column headers. The client-side DataTables renderer injects them directly into the DOM without proper HTML encoding. As a result, unauthenticated attackers can inject arbitrary web scripts into pages, which will execute when a user accesses the affected page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, upload a file through a contact form that includes a script in the file name. The plugin will save the unfiltered file name along with the sanitized version. Then, access the admin-side AJAX endpoint 'ajax_get_table_data()' which will return the raw file name as a JSON column header. This header will be injected into the DOM by the DataTables renderer without any HTML encoding, allowing the script to execute.

Remediation

Users are advised to update the Ultra Addons for Contact Form 7 plugin to version 3.5.20 or later, where this vulnerability has been patched.