Skip to content

XSS Vulnerability in Fast Secure Contact form version 4.0.37 #4

Open
@cybersecurityworks

Description

@cybersecurityworks

Details

Word Press Product Bugs Report
Bug Name XSS (Cross Site Scripting)
Software: Fast Secure Contact Form plugin
Version: 4.0.37
Last Updated: 21-08-2015
Homepage: https://wordpress.org/plugins/si-contact-form/
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.4.2 or higher)
Severity High
Description: XSS vulnerability in WordPress plugin Fast Secure Contact Form
Changelog: https://wordpress.org/plugins/si-contact-form/changelog/

Proof of concept

Visit the following page on a site with this plugin installed. http://yourwordpresssite.com/wordpress/wp-admin/plugins.php?page=si-contact-form%2Fsi-contact-form.php&fscf_form=1&fscf_tab=1 and modify the value of fs_contact_form1[welcome] variable with <script>alert(document.cookie);</script> payload and send the request to the server.

Now, the added XSS payload will be echoed back from the server without validating the input whenever we visit the script stored page.

Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.

define( 'DISALLOW_UNFILTERED_HTML', true );

Issue 1:
POST request parameter fs_contact_form1[welcome] variable in the given URL http://yourwordpresssite.com/wordpress/wp-admin/plugins.php?page=si-contact-form%2Fsi-contact-form.php&fscf_form=1&fscf_tab=1 of Fast Secure Contact Form 4.0.37 is vulnerable to Cross Site Scripting (XSS)

xss

Figure 1: XSS Payload injected to fs_contact_form1[welcome] variable in the given URL http://yourwordpresssite.com/wordpress/wp-admin/plugins.php?page=si-contact-form%2Fsi-contact-form.php&fscf_form=1&fscf_tab=1

xss_02

Figure 2: XSS Payload executed in the browser whenever the user views it.


Reproducing Steps

  1. Logon into any wordpress application (localhost or public host)
  2. Modifying the variable fs_contact_form1[welcome] in Fast Secure Contact Form 4.0.37 (recently updated version) in the URL http://yourwordpresssite.com/wordpress/wp-admin/plugins.php?page=si-contact-form%2Fsi-contact-form.php&fscf_form=1&fscf_tab=1
  3. Fill all the variables with <script>alert(document.cookie);</script> payload and save it to view further.
  4. Now, the added XSS payload will be executed whenever the user reviews it.

Timeline
05-09-2015 – Discovered in Fast Secure Contact Form plugin 4.0.37 Version
07-09-2015 – Reported to WP Plugin
07-09-2015 – WP Plugin responded, "Thank you for reporting this plugin. We're looking into it right now."
08-09-2015 – Fixed in 4.0.38 version of Fast Secure Contact Form plugin


Discovered by:
Sathish from Cyber Security Works Pvt Ltd

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions