Burak Kelebek - Securify, March 2017

Reflected Cross-Site Scripting in FormBuilder WordPress Plugin

Abstract

A reflected Cross-Site Scripting vulnerability has been found in the FormBuilder WordPress plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Contact

For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

OVE ID

OVE-20160724-0006

Tested versions

This issue was successfully tested on FormBuilder version 1.05

Fix

A fix for this issue is currently not available.

Introduction

The FormBuilder WordPress plugin allows you to build contact forms in the WordPress administrative interface without needing to know PHP or HTML.

Details

This issue exists due to the fact that neither the fbmsg or the formSearchQuery field in the tools.php file validates <script> tags or perform output encoding. As a result malicious script code can be added to these fields.

Proof of concept

The following proof of concept code demonstrates this issue:

- http://<target>/wp-admin/tools.php?page=formbuilder.php&pageNumber&fbtag&fbaction=forms&fbmsg=<script>alert(1)</script>n edit it <a href="/wp-admin/tools.php?page=formbuilder.php&pageNumber=&fbtag=&fbaction=editForm&fbid=9">here</a>
- http://<target>/wp-admin/tools.php?page=formbuilder.php&fbaction=formResults&formSearchQuery="><script>alert(1)</script>

Security Bughunt

2017 - August - Amsterdam

2017 Target - IoT

#sumofpwn