======================= 标题 ===== Quick Contact Form - Persistent Cross Site Scripting Vulnerability 作者 ====== Zy0d0x 开发者 ====== Quick Plugins - http://quick-plugins测试数据/ 受影响产品 ================ Quick Contact Form Wordpress Plugin Version 6.0 possibly earlier VULNERABILITY CLASS =================== Cross-Site Scripting 描述 =========== Quick Contact Form suffers from a persistent Cross-Site Scripting vulnerability due to a lack of input validation and output sanitization of the qcfname4 paramater. Other input fields are also effective to reflective cross site scripting. 测试证明 ================ Enter the following into the field where Quick Contact Form requests a Message. --- SNIP --- "><script>alert(String.fromCharCode(90,121,48,100,48,120))</script>< --- SNIP --- If the message has been sent successfully a alert diolog will apear containing Zy0d0x when an user checks there message in the dashboard. 影响 ====== An attacker could potentially hijack session authentication tokes of remote users and leverage the vulnerability to increase the attack vector to the underlying software and operating system of the victim. 级别 ============ 高危 状态 ====== 新版v6.1已经修复
查看更多关于Wordpress插件Quick Contact Form 6.0 持久型xss - 网站安全的详细内容...