03 Apr

Reflected Cross-Site Scripting (XSS) Vulnerability in Contact Form 7 Database

One of the ways we keep track of vulnerabilities in WordPress plugins is by monitoring the wordpress.org Support Forum as that is sometimes where vulnerabilities are disclosed. As far as we can tell we are alone in doing this, so if you are relying on another data source for your plugin vulnerability data you are most likely not going to be warned about those. One recent vulnerability we came across through that is a persistent cross-site scripting (XSS) vulnerability in the plugin Contact Form 7 Database. While looking into that we noticed that the plugin also has a reflected cross-site scripting (XSS) vulnerability.

When using the search function on the plugin’s admin page the value searched for, in the form of the GET input “search”, is echo’d without being escaped on line 11 of the file /admin/search.php:

<input value="<?php echo ((isset($_GET['search'])) ? $_GET['search'] : ''); ?>" type="text" class="" id="cf7d-search-q" placeholder="<?php echo _e('Type something...'); ?>" id="" />

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=cf7-data&search="><script>alert(document.cookie);</script>


  • March 27, 2017 – Developer notified.
  • April 3, 2017 – WordPress.org Plugin Directory notified.
  • April 3, 2017 – Plugin removed from WordPress.org Plugin Directory.
  • April 4, 2017 – Version 1.2 submitted to WordPress.org Plugin Directory’s Subversion repository, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *