Analysts in Fixhackedwebsite Security team discovered a flaw in WordPress version 1.2.5 of the ‘Multiple Stored XSS Form’ on July 28, 2018, which can be used to steal personal data from users. This problem was caused by unsuitable sanitization, so the values were stored without proper validation or escape.
Although risks are common to every XSS, XSS has been stored in this vulnerability, most dangerous for Mondula Multi Step Form Plugin users up to 1.2.5 on WordPress CDN. Users worried that they were exposed to this vulnerability have to update to the new plugin version.
Type: Improper Input Neutralization At Web Page Generation (‘Cross-site Scripting’)
Evidence of Theory
The file class-mondula-multistep-forms-admin.php in fw wizard save action includes several stored and mirrored XSS vulnerabilities. The explanation for this includes unsanitized user feedback from the parameters below:
Taking advantage of this weakness would require authentication.
Locate multi-step method and enter Save and payload. The values are passed via Ajax → http:/localhost / word496 / wp-admin / admin-ajax.php
There is a lack of sanitized values in this situation, because the values were stored without sufficient validation or escape. Sanitize vectors affected so as to prevent XSS. Corrected code below:
How to protect yourself (before patching):
Web Application Firewall (WAF) provides web applications and websites running on Apache, LiteSpeed and Nginx under Linux with strong, real-time security. WAF follows the ModSecurity rules and offers advanced protection against scanning, security and intrusion.
What it’s needed:
- Secure sensitive consumer data
- Comply with PCI specifications
- Unauthorised access block
- Prevent attacks by SQL injection and cross-site scripting (XSS)