Multiple Authenticated Stored XSS in NinjaForms Settings Page (Version 3.4.22 )


Authenticated Stored XSS in NinjaForms Settings Page (Version 3.4.22 )



A Spider Sec Ltd consultant discovered an Authenticated Stored XSS vulnerability inside the Ninja forms WordPress Plugin which could allow attackers to hi-jack administrative cookies if an attack is coupled together with a phishing campaign.


Technical Details

The following parameters are vulnerable to Stored XSS on the administrative section of the Ninja Forms WordPress Plugin:

ninja_forms[date_format]=, ninja_forms[recaptcha_site_key]=, ninja_forms[recaptcha_lang]=

Using the following payload:

m/d/Yufyiy' onfocus=alert(document.cookie) autofocus= etyeqchypbw


So how can a hacker use this to attack my administrative panel?

Yes, but it requires a phishing campaign and a pretty trusting administrator.

First, create a button which submits the vulnerable POST and host it.

<form action="http://VictimsURL/wp-admin/admin.php?page=nf-settings" method="POST">
<input name="ninja_forms[date_format]" type="hidden" value="zm/d/Yufyiy' onfocus=alert(document.cookie) autofocus= etyeqchypbw" />
<input type="submit" value="Submit request" />

Next, persuade a victim to press the button, this would obviously be styled in a more persuasive manner or hidden inside a clickjacking attack.

The code is then stored on the back-end waiting for the administrator to access the settings page, wherein it will trigger.


Update to version 3.4.23

Calculated Fields Form WP Plugin (Version <= 1.0.353) Authenticated Stored XSS


Calculated Fields Form WP Plugin (Version <= 1.0.353) Multiple Authenticated Stored XSS


The Calculated Fields Form plugin through 1.0.353 for WordPress suffers from multiple Stored XSS vulnerabilities present in the input forms. These Calculated Fields Form vulnerabilities were discovered during a web application penetration test by a Spider Sec Ltd Consultant.

Technical Details​

An authenticated user with access to edit or create forms can inject javascript into input fields such as ‘field name’ and ‘form name’. This results in the XSS being stored both on the back-end and front-end of the WordPress website. As a result, both users and administrators could be a target if a WordPress website is compromised. However, these vulnerabilities are unlikely to be weaponised due to the level of authentication required to exploit.


Update to the latest version of this plugin version 1.0.354


WPVDB ID 10043

Chained Quiz WP Plugin Unauthenticated Reflected XSS (Version


Chained Quiz WP Plugin Unauthenticated Reflected XSS (Version


During a web application penetration testing engagement, we discovered our client was using the Chained Quiz Plugin to serve quizzes on the front-end of their site. A quick analysis using WPscan uncovered several historic Chained Quiz Vulnerabilities which had been disclosed in previous versions. As a result of the volume of historic vulnerabilities, we decided to set up a test lab to see if any new vulnerabilities had been introduced into the latest updates. Low and behold we discovered a new unauthenticated Reflected XSS vulnerability, the vulnerability was responsibly disclosed to the plugin developer and an update to the plugin was applied and can be observed here.

Technical Details

The POST parameter ‘total_questions’ fails to sanitize user input. As a result, it is possible to execute client-side JavaScript on a victims PC if the client is tricked into pressing a button containing the malicious request.
An attacker could leverage this vulnerability to steal administrative sessions tokens to a WordPress site or execute code in a victims browser.

The code in question accepts the ‘total_questions’ parameter without escaping special characters. The vulnerable code can be found in the following php file /models/quiz.php.

$output = str_replace('{{questions}}', $_POST['total_questions'], $output);

Spider Sec Ltd Consultant Ben Armstrong probed the Chained Quiz WP Plugin for Vulnerabilities as part of a web application penetration testing engagement.


Update to the latest version of this plugin, version


WPVDB ID 10029