FluentForms < 4.3.25 – Contributor+ Stored XSS via Custom HTML Form Field | CVE 2023-0546 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form.

Proof of Concept

As a contributor, create a blank form and add custom html field with the following content in the "Text" tab of the field editor:

<p>Some description about this section</p><p><iframe srcdoc="<script>alert(document.cookie)</script>"></iframe></p>

Do not decode the payload. And please ensure that payload is added when editor has Text tab selected. Save the form, it will trigger xss payload.

Affects Plugins

Fixed in 4.3.25

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Vaibhav Rajput

Submitter

Vaibhav Rajput

Verified

Yes

WPVDB ID

078f33cd-0f5c-46fe-b858-2107a09c6b69

Timeline

Publicly Published

2023-03-20 (about 1 years ago)

Added

2023-03-20 (about 1 years ago)

Last Updated

2023-03-20 (about 1 years ago)

Other

Published

Title

Published

2023-11-01

Title

ChatBot 4.8.6 - 4.9.6 - Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder

Published

2024-05-14

Title

WP eMember < 10.3.9 - Reflected XSS

Published

2021-04-13

Title

HT Mega - Absolute Addons for Elementor Page Builder < 1.5.7 - Contributor+ Stored XSS

Published

2023-05-18

Title

WeSecur Security <= 1.2.1 - Admin+ Stored Cross-Site Scripting

Published

2024-03-25

Title

Co-marquage service-public.fr < 0.5.72 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode