form_maker_cfm() is accessible for every registered user (created using wp-login.php?action=register) because of add_action(‘wp_ajax_get_stats_fmc’, ‘form_maker_cfm’)
In this function we can include and run /admin/controllers/FMControllerManage_fmc.php class which is responsible for plugin management.
We can edit any plugin form and add XSS to it using wp-admin/admin-ajax.php, because output is not escaped properly.
Proof of Concept:
Login as standard user.
This data allows edit form ID=1 and add simple XSS to it:
- 14-10-2014: Discovered
- 07-11-2014: Vendor notified
- 08-11-2014: Version 1.7.19 released, issue resolved