Advisory

Burak Kelebek, July 2016

Reflected Cross-Site Scripting in FormBuilder WordPress Plugin

Abstract

A reflected Cross-Site Scripting vulnerability has been found in the FormBuilder WordPress plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

OVE ID

OVE-20160724-0006

Tested versions

This issue was successfully tested on FormBuilder version 1.05

Fix

A fix for this issue is currently not available.

Introduction

The FormBuilder WordPress plugin allows you to build contact forms in the WordPress administrative interface without needing to know PHP or HTML.

A reflected Cross-Site Scripting vulnerability has been found in the FormBuilder WordPress plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Details

This issue exists due to the fact that neither the fbmsg or the formSearchQuery field in the tools.php file validates <script> tags or perform output encoding. As a result malicious script code can be added to these fields.

Proof of concept

The following proof of concept code demonstrates this issue:

- http://<target>/wp-admin/tools.php?page=formbuilder.php&pageNumber&fbtag&fbaction=forms&fbmsg=<script>alert(1)</script>n edit it <a href="/wp-admin/tools.php?page=formbuilder.php&pageNumber=&fbtag=&fbaction=editForm&fbid=9">here</a>
- http://<target>/wp-admin/tools.php?page=formbuilder.php&fbaction=formResults&formSearchQuery="><script>alert(1)</script>

Latest News & Research

Work with us →