Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS) vulnerability in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites.

Please note that this is a separate plugin from Contact Form 7 and is designed as an add-on to that plugin.

Wordfence Threat Intelligence team initially reached out to the plugin’s developer on December 9, 2020. They received no response for a week and followed up on December 16, 2020. After receiving no response for nearly 30 days and granting extra time due to the holidays, the team escalated the issue to the WordPress Plugins team on January 4, 2021, providing the full details of the vulnerability at the time of reporting.

Unfortunately, neither the WordPress Plugins team nor the Wordfence Threat Intelligence team received a response. This week, on February 1, 2021, the plugin was removed from the repository due to lack of response from the plugin’s developer.

Description: Cross-Site Request Forgery (CSRF) to Stored Cross-Site Scripting (XSS)
Affected Plugin: Contact Form 7 Style
Plugin Slug: contact-form-7-style
Affected Versions: <= 3.1.9
CVE ID: Pending.
CVSS Score: 8.8 (High)
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Fully Patched Version: REMAINS UN-PATCHED.

Buy Me a Coffee

Contact Form 7 Style is a plugin that can be used to add additional styles to forms created with Contact Form 7, one of the most popular plugins for WordPress. As part of its functionality, Contact Form 7 Style allows users to customize Cascading Style Sheets (CSS) code in order to customize the appearance of contact forms crafted by Contact Form 7.

READ
‘Disable Admin Notices Individually’ Plugin Exposes 100,000+ Sites to Risk

Due to the lack of sanitization and lack of nonce protection on this feature, an attacker could craft a request to inject malicious JavaScript on a site using the plugin. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.

It is important to note that as with all CSRF vulnerabilities, this vulnerability can only be exploited if a user with administrative capabilities performs an action while authenticated to the vulnerable WordPress site. As a general recommendation, site administrators should always be alert when clicking on any links. If you feel you must click a link, we recommend using incognito windows when you are unsure about a link or attachment. This precaution can protect your site from being successfully exploited by this vulnerability along with all other CSRF vulnerabilities.

We strongly recommend deactivating and removing the Contact Form 7 Style plugin and finding a replacement, as it appears this plugin won’t be patched in the foreseeable future.