WordPress Plugin Vulnerabilities

Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting via Import

Description

The plugin does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

- Make a test form and then export it to your system.
- Edit the file and enter an XSS payload like "<img src=x onerror=alert('XSS')" inside the title object in the JSON file.
- Go back to the import/export tab and notice that the payload was executed

Affects Plugins

Plugin icon
ninja-forms
Fixed in 3.6.10

References

CVE
CVE-2021-25066

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Muhammad Adel
Submitter website
https://itsfading.github.io
Submitter twitter
ItsFadinG_
Verified
Yes
WPVDB ID
323d5fd0-abe8-44ef-9127-eea6fd4f3f3d

Timeline

Publicly Published
2022-06-10 (about 1 years ago)
Added
2022-06-13 (about 1 years ago)
Last Updated
2023-03-13 (about 1 years ago)

Other

Published
Title
Published
2022-08-17
Title
Autoptimize < 3.1.1 - Admin+ Stored Cross Site Scripting
Published
2014-08-01
Title
Lazyest Gallery <= 1.1.20 - EXIF Script Insertion
Published
2015-06-29
Title
Broken Link Checker <= 1.10.8 - Unauthenticated Stored XSS
Published
2014-08-01
Title
All in One Adsense YPN 2.0.1 - all-in-one-adsense-&-ypn.php Direct Request AdSense Account Manipulation
Published
2022-12-28
Title
Word Balloon < 4.19.3 - Contributor+ Stored XSS via Shortcode