Vulnerability In WordPress Version 1.2.5 found in Multiple Stored XSS Form

Posted by Hack Recovery Team 3 Min Read
Wordpress

 

Analysts in Fixhackedwebsite Security team discovered a flaw in WordPress version 1.2.5 of the ‘Multiple Stored XSS Form’ on July 28, 2018, which can be used to steal personal data from users. This problem was caused by unsuitable sanitization, so the values were stored without proper validation or escape.

More here:
https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)

Although risks are common to every XSS, XSS has been stored in this vulnerability, most dangerous for Mondula Multi Step Form Plugin users up to 1.2.5 on WordPress CDN. Users worried that they were exposed to this vulnerability have to update to the new plugin version.

Multi Step Form plugin has a drag-and – drop feature allowed and a form builder that enables the development of nice-looking multi step forms easily and intuitively. Shapes can be embedded with short codes at any page or article. This issue can be exploited by a remote attacker by executing JavaScript code via Reflected XSS attack.

Classification

Type: Improper Input Neutralization At Web Page Generation (‘Cross-site Scripting’)

CWE: CWE-79

Evidence of Theory

The file class-mondula-multistep-forms-admin.php in fw wizard save action includes several stored and mirrored XSS vulnerabilities. The explanation for this includes unsanitized user feedback from the parameters below:

data-wizard

Taking advantage of this weakness would require authentication.

Example:

Locate multi-step method and enter Save and payload. The values are passed via Ajax → http:/localhost / word496 / wp-admin / admin-ajax.php

vulnerability

Code Difference

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=1919415%40multi-step-form&old=1917502%40multi-step-form&sfp_email=&sfph_mail=

https://github.com/mlooft/multi-step-form/commit/8a89f6deb888abb0ae679841ee96ee8332e5b5bc#diff-13d0709dedfe5ef22b22558c25b54ccf

There is a lack of sanitized values in this situation, because the values were stored without sufficient validation or escape. Sanitize vectors affected so as to prevent XSS. Corrected code below:

xss

How to protect yourself (before patching):

Web Application Firewall (WAF) provides web applications and websites running on Apache, LiteSpeed and Nginx under Linux with strong, real-time security. WAF follows the ModSecurity rules and offers advanced protection against scanning, security and intrusion.

What it’s needed:

  • Secure sensitive consumer data
  • Comply with PCI specifications
  • Unauthorised access block
  • Prevent attacks by SQL injection and cross-site scripting (XSS)
Tags: