------------------------------------------------------------------------ Cross-Site Scripting in FormBuilder WordPress Plugin ------------------------------------------------------------------------ Peter Ganzevles, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Reflected Cross-Site Scripting (XSS) vulnerability has been found in the FormBuilder WordPress Plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any logged-in admin. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160722-0007 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on FormBuilder [2] version 1.05. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in FormBuilder version 1.06 [3]. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ The FormBuilder [2] Plugin for WordPress allows you to build contact forms in the WordPress administrative interface without needing to know PHP or HTML. A Reflected Cross-Site Scripting (XSS) vulnerability has been found in the FormBuilder WordPress Plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any logged-in admin who views the link in the proof of concept below. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ The FormBuilder plugin is vulnerable to a Reflected Cross Site Scripting attack in the main page. This means that an attacker can craft a link, such as the one below, which will inject malicious javascript in the page of any admin visiting it. The vulnerability lies in a piece of code in the file html/options_default.inc.php. Here, on line 35-40, the following form class is created: 35:
This form has two input fields which are populated with data directly from a GET parameter, which is not sanitized beforehand. These are $_GET['page’] and $_GET['pageNumber’]. While supplying a malicious payload to the $_GET[‘pageNumber’] parameter causes the application to just throw an error, supplying it to the $_GET[‘page’] parameter will cause it to be executed. ------------------------------------------------------------------------ Proof of concept ------------------------------------------------------------------------ The following URL causes an alert box to spawn, which, while not dangerous in and of itself, is an easy way to prove that it is vulnerable. http://