WordPress Calls to Action <= 2.2.7 – Stored XSS | Plugin Vulnerabilities

Description

The AJAX action ‘inbound_form_save’ allows unauthenticated users to update the content of any specific form on the site. In order to exploit this, a form ID must be enumerated using another unauthenticated AJAX action, ‘inbound_get_form_data’. Once a form ID has been enumerated, the content of the form may be overwritten a request like the one constructed in the PoC below. This allows for a Persistent XSS to be achieved on any page that a form is used, as no validation is performed on the input of the ‘shortcode’ field data.

Affects Plugins

Fixed in 2.2.8

References

URL

https://g0blin.co.uk/g0blin-00026/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Submitter

James Hooker

Submitter website

https://research.g0blin.co.uk

Submitter twitter

Verified

No

WPVDB ID

990c55a8-68e8-4561-91ed-bf814a80e2de

Timeline

Publicly Published

2015-02-02 (about 11 years ago)

Added

2015-02-02 (about 11 years ago)

Last Updated

2019-10-21 (about 6 years ago)

Other

Published

Title

Published

2023-03-14

Title

Modern Events Calendar lite < 6.5.2 - Admin+ Stored XSS

Published

2024-05-20

Title

Simple Popup Manager <= 1.3.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-03-29

Title

Easy Forms for MailChimp < 6.8.8 - Reflected XSS

Published

2025-07-21

Title

Ebook Store < 5.8013 - Authenticated (Administrator+) Stored Cross-Site Scripting via Order Details

Published

2021-09-01

Title

XO Event Calendar < 2.3.7 - Reflected Cross-Site Scripting