Advisory

Peter Ganzevles, July 2016

Cross-Site Scripting in FormBuilder WordPress Plugin

Abstract

A Reflected Cross-Site Scripting (XSS) vulnerability has been found in the FormBuilder WordPress Plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any logged-in admin.

OVE ID

OVE-20160722-0007

Tested versions

This issue was successfully tested on FormBuilder version 1.05.

Fix

This issue is resolved in FormBuilder version 1.06.

Introduction

The FormBuilder Plugin for WordPress allows you to build contact forms in the WordPress administrative interface without needing to know PHP or HTML. A Reflected Cross-Site Scripting (XSS) vulnerability has been found in the FormBuilder WordPress Plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any logged-in admin who views the link in the proof of concept below.

Details

The FormBuilder plugin is vulnerable to a Reflected Cross Site Scripting attack in the main page. This means that an attacker can craft a link, such as the one below, which will inject malicious javascript in the page of any admin visiting it.

The vulnerability lies in a piece of code in the file html/options_default.inc.php. Here, on line 35-40, the following form class is created:

35: <form class='formSearch' name="formSearch" method="GET" action="<?php echo FB_ADMIN_PLUGIN_PATH; ?>">
36:    <input name='page' type="hidden" value="<?php echo $_GET['page']; ?>" />
37:    <input name='pageNumber' type="hidden" value="<?php echo $_GET['pageNumber']; ?>" />
38:    <input name='formSearch' type="text" size="10" value="<?php echo $formSearch; ?>" />
39:    <input class='searchButton' name='Search' type="submit" value="Search" />
40: </form>

This form has two input fields which are populated with data directly from a GET parameter, which is not sanitized beforehand. These are $_GET['page’] and $_GET['pageNumber’]. While supplying a malicious payload to the $_GET[‘pageNumber’] parameter causes the application to just throw an error, supplying it to the $_GET[‘page’] parameter will cause it to be executed.

Proof of concept

The following URL causes an alert box to spawn, which, while not dangerous in and of itself, is an easy way to prove that it is vulnerable.

http://<target>/wp-admin/tools.php?page=formbuilder.php&pageNumber=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&formSearch=test&Search=Search

Work with us →