Wednesday, 31 October 2018

CVE-2018-14846 - Multiple Stored XSS in Multi Step Form

Exploit Author: Mohammed Ansari(mohammedansari.sahulhameed@comodo.com)
Skype: ansa_ert
LinkedIn: https://www.linkedin.com/in/ansaert/
Discovered Date: July 27 2018
Affected Version: 1.2.5
Fixed Version: 1.2.8 Released on Aug 3 2018.
Active installations: 7,000+           
Plugin: https://wordpress.org/plugins/multi-step-form/

Description

Multi Step Form has a drag & drop enabled form builder for quick and intuitive creation of nice-looking multi step forms. Forms can be embedded on any page or post with short codes.

Classification

Type:  Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE: CWE-79

Proof of Concept

There is multiple stored and reflected XSS vulnerabilities in file class-mondula-multistep-forms-admin.php in fw_wizard_save action. The reason - unsanitized user's input from the following parameters:
data[wizard][steps][0][title]
data[wizard][steps][0][headline]
data[wizard][steps][0][copy_text]
data[wizard][steps][0][parts][0][title]
data[wizard][steps][0][parts][0][blocks][0][label]
data[wizard][steps][0][parts][0][blocks][0][format]
data[wizard][steps][0][parts][0][blocks][1][label]
data[wizard][steps][0][parts][0][blocks][2][label]
data[wizard][steps][0][parts][0][blocks][3][label]
data[wizard][settings][thankyou]
Exploiting this vulnerability requires authentication.

Example:
Locate Multi step form and enter payload and Save. The values are passed via Ajax →  http://localhost/word496/wp-admin/admin-ajax.php
data%5Bwizard%5D%5Btitle%5D=My+Multi+Step+Form%22%3E%3Cscript%3Ealert(22)%3B%3C%2Fscript%3E

Screenshots of vulnerability

No comments:

Post a Comment