------------------------------------------------------------------------
Reflected Cross-Site Scripting in FormBuilder WordPress Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site Scripting vulnerability has been found in the
FormBuilder [2] WordPress plugin. This issue allows an attacker to
perform a wide variety of actions, such as stealing Administrators'
session tokens, or performing arbitrary actions on their behalf. In
order to exploit this issue, the attacker has to lure/force a logged on
WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0006

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on FormBuilder [2] version 1.05

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
A fix for this issue is currently not available.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The FormBuilder [2] WordPress plugin allows you to build contact forms
in the WordPress administrative interface without needing to know PHP or
HTML. 

A reflected Cross-Site Scripting vulnerability has been found in the
FormBuilder WordPress plugin. This issue allows an attacker to perform a
wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf. In order to
exploit this issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a malicious website.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
This issue exists due to the fact that neither the fbmsg or the
formSearchQuery field in the tools.php file validates <script> tags or
perform output encoding. As a result malicious script code can be added
to these fields.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The following proof of concept code demonstrates this issue:

- http://<target>/wp-admin/tools.php?page=formbuilder.php&pageNumber&fbtag&fbaction=forms&fbmsg=<script>alert(1)</script>n edit it <a href="/wp-admin/tools.php?page=formbuilder.php&pageNumber=&fbtag=&fbaction=editForm&fbid=9">here</a>
- http://<target>/wp-admin/tools.php?page=formbuilder.php&fbaction=formResults&formSearchQuery="><script>alert(1)</script>

------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] https://sumofpwn.nl/advisory/2016/reflected_cross_site_scripting_in_formbuilder_wordpress_plugin.html
[2] https://wordpress.org/plugins/formbuilder/