A Stored Cross-site Scripting (XSS) vulnerability has been discovered in the WDContactFormBuilder plugin for WordPress. This vulnerability affects all versions of the plugin up to, and including, version 1..72. The vulnerability allows authenticated attackers with contributor level permissions, or higher, to inject arbitrary web scripts in WordPress pages. This may result in unauthorized access to sensitive information or even a takeover of the affected website.

Vulnerability Explanation

The Stored XSS vulnerability occurs due to inadequate input sanitization and output escaping on the 'id' user-supplied attribute of the 'Contact_Form_Builder' shortcode. A successful exploitation allows the attacker to inject malicious JavaScript code into the affected WordPress pages that will then be executed whenever a user accesses those pages. Consequently, it can compromise the security of the affected website, potentially resulting in data exposure, unauthorized access, or even taking over the site.

Here is the code snippet illustrating the vulnerability

// In the Contact_Form_Builder.php file
function contact_form_builder_shortcode($atts) {
  extract(shortcode_atts(array(
    'id' => 1
  ), $atts));
  // No input sanitization or output escaping on user supplied 'id' attribute before it's used
  return contact_form_builder_output($id);
}

Exploit Details

To exploit this vulnerability, an attacker with contributor level (or higher) permissions can perform the following steps:

Log in to WordPress as a contributor or any higher-level user.

2. Create a new post or page and insert the 'Contact_Form_Builder' shortcode with a malicious payload in the 'id' attribute. For example:

[Contact_Form_Builder id="1<script>alert('XSS');</script>"]

To protect your WordPress site against this vulnerability, you should take the following steps

1. Update the WDContactFormBuilder plugin to the latest version as soon as an official fix for this issue is released by the plugin developers.
2. If an official fix isn't available yet, apply the following patch to the Contact_Form_Builder.php file, to securely sanitize and escape the 'id' attribute before it's used:

// Securely sanitize and escape 'id' attribute in the Contact_Form_Builder.php file
function contact_form_builder_shortcode($atts) {
  extract(shortcode_atts(array(
    'id' => 1
  ), $atts));

  // Added input sanitization and output escaping on user supplied 'id' attribute
  $id = (int) esc_attr($id);

  return contact_form_builder_output($id);
}

- CVE-2023-5048: WordPress WDContactFormBuilder Stored XSS Vulnerability
- WordPress Plugin Repository - WDContactFormBuilder

In conclusion, since the WDContactFormBuilder plugin for WordPress is widely used, promptly addressing this vulnerability is crucial for maintaining the security and integrity of websites using this plugin. It is highly recommended to follow the mitigation steps provided above to protect your site against any potential attacks and safeguard your valuable data.

Timeline

Published on: 11/22/2023 16:15:10 UTC
Last modified on: 02/01/2024 02:26:27 UTC