NEX-Forms < 8.4.4 – Authenticated Stored XSS | CVE 2023-0439 | Plugin Vulnerabilities

Description

The plugin does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins (in multisite) / admins (in single site) can create forms, however there is a settings allowing them to give lower roles access to such feature.

Proof of Concept

Create a new form with the following name: " style=animation-name:rotation onanimationstart=alert(/XSS/)//

Save it and access the plugin's dashboard again to trigger the XSS

Affects Plugins

nex-forms-express-wp-form-builder

Fixed in 8.4.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Felipe Restrepo Rodriguez and Edison Poveda

Submitter

Felipe Restrepo Rodriguez and Edison Poveda

Submitter website

https://pfelilpe.com

Submitter twitter

Verified

Yes

WPVDB ID

04cea9aa-b21c-49f8-836b-2d312253e09a

Timeline

Publicly Published

2023-06-26 (about 10 months ago)

Added

2023-06-26 (about 10 months ago)

Last Updated

2023-06-26 (about 10 months ago)

Other

Published

Title

Published

2018-10-16

Title

Support Board < 1.2.4 - Stored Cross-Site Scripting

Published

2021-07-19

Title

YouTube Embed < 5.2.2 - Contributor+ Stored XSS

Published

2023-03-27

Title

Easy Forms for MailChimp < 6.8.7 - Contributor+ Stored XSS

Published

2021-07-20

Title

Multiple Plugins from Smash Balloon - Reflected Cross-Site Scripting

Published

2023-09-11

Title

JQuery Accordion Menu Widget for WordPress <= 3.1.2 - Contributor+ Stored XSS