Responsive Contact Form Builder and Lead Generation Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Responsive Contact Form Builder & Lead Generation Plugin for WordPress, affecting all versions through 2.0.1. The issue arises from inadequate input sanitization in the 'lfb_lead_sanitize()' function, which fails to properly sanitize certain field types. This, combined with a lenient 'wp_kses()' filter that permits 'onclick' attributes on anchor tags, allows unauthenticated users to inject malicious scripts. These scripts are executed when an administrator views the lead entries in the WordPress dashboard.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the lead entries.

Reproduction

To reproduce this vulnerability, submit a form using the Responsive Contact Form Builder & Lead Generation Plugin version 2.0.1 or earlier. Include a payload with a script in one of the form fields that is not properly sanitized. Once the form is submitted, the injected script will execute when an administrator accesses the lead entries in the WordPress dashboard.

Remediation

Users are advised to update the plugin to version 2.0.2 or later, where this vulnerability has been patched.