CVE-2015-4010

Encrypted Contact Form < 1.1 - Cross-Site Request Forgery via iframe_url Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-4010. PoCs published by Nitin Venkatesh.

AI-analyzed exploit summary This PoC demonstrates a CSRF attack combined with XSS in the Encrypted Contact Form WordPress Plugin v1.0.4. The exploit submits a crafted form to update an existing contact form, injecting malicious JavaScript via the 'iframe_url' parameter.

Description

Cross-site request forgery (CSRF) vulnerability in the Encrypted Contact Form plugin before 1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the iframe_url parameter in an Update Page action in the conformconf page to wp-admin/options-general.php.

Exploits (1)

exploitdb WORKING POC

by Nitin Venkatesh · textwebappsphp

https://www.exploit-db.com/exploits/37264

View Code ZIP pw:eip

This PoC demonstrates a CSRF attack combined with XSS in the Encrypted Contact Form WordPress Plugin v1.0.4. The exploit submits a crafted form to update an existing contact form, injecting malicious JavaScript via the 'iframe_url' parameter.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Encrypted Contact Form WordPress Plugin v1.0.4

No auth needed

Prerequisites: Access to a WordPress admin session or ability to trick an admin into submitting the form

MITRE ATT&CK