Abstract
A reflected Cross-Site Scripting vulnerability has been found in the FormBuilder WordPress plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
OVE ID
OVE-20160724-0006
Tested versions
This issue was successfully tested on FormBuilder version 1.05
Fix
A fix for this issue is currently not available.
Introduction
The FormBuilder WordPress plugin allows you to build contact forms in the WordPress administrative interface without needing to know PHP or HTML.
A reflected Cross-Site Scripting vulnerability has been found in the FormBuilder WordPress plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
Details
This issue exists due to the fact that neither the fbmsg
or the formSearchQuery
field in the tools.php
file validates <script>
tags or perform output encoding. As a result malicious script code can be added to these fields.
Proof of concept
The following proof of concept code demonstrates this issue:
- [http://
/wp-admin/tools.php?page=formbuilder.php&pageNumber&fbtag&fbaction=forms&fbmsg=n edit it here](http:// /wp-admin/tools.php?page=formbuilder.php&pageNumber&fbtag&fbaction=forms&fbmsg=n edit it here) - http://
/wp-admin/tools.php?page=formbuilder.php&fbaction=formResults&formSearchQuery=">