NinjaForms < 3.5.8.2 – Admin+ Stored Cross-Site Scripting | CVE 2021-24381 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

With the Form Builder "Dev Mode” setting enabled, create a form and a field, then under the Display option of the field, add the following payload in the Custom Class Names Container field "><img src onerror=alert(/XSS/)>

Save the field and form then view/preview the page with the form embed to trigger the XSS

https://www.youtube.com/watch?v=Ax8QK5gEBUk

Affects Plugins

Fixed in 3.5.8.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Rodel Plasabas

Submitter

Rodel Plasabas

Verified

Yes

WPVDB ID

e383fae6-e0da-4aba-bb62-adf51c01bf8d

Timeline

Publicly Published

2021-09-27 (about 2 years ago)

Added

2021-09-27 (about 2 years ago)

Last Updated

2022-04-14 (about 2 years ago)

Other

Published

Title

Published

2024-01-02

Title

MapPress Maps for WordPress < 2.88.14 - Contributor+ Stored XSS

Published

2023-02-21

Title

Smart Logo Showcase Lite <= 1.1.9 - Contributor+ Stored XSS

Published

2024-01-05

Title

RSS Aggregator by Feedzy < 4.3.3 - Author+ Stored Cross-Site Scripting

Published

2023-04-24

Title

Tippy <= 6.2.1 - Contributor+ Stored XSS

Published

2023-10-29

Title

Slick Popup: Contact Form 7 Popup Plugin < 1.7.15 - Authenticated (Admin+) Stored Cross-Site Scripting