CVE-2023-5125 - Stored Cross-Site Scripting Vulnerability in Contact Form by FormGet Plugin for WordPress

Summary:
Contact Form by FormGet, a popular WordPress plugin, has been identified to contain a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 5.5.5. This vulnerability allows authenticated attackers to inject arbitrary web scripts, which will be executed whenever a user accesses an injected page. In this post, we will discuss the details of this vulnerability and provide a code snippet and links to original references.

Introduction

The Contact Form by FormGet plugin is widely used to create and embed contact forms on WordPress websites. A security vulnerability has been discovered, which allows authenticated attackers with contributor-level permissions or higher to inject and store malicious scripts within the 'formget' shortcode, due to insufficient input sanitization and output escaping mechanisms.

Exploit Details

The vulnerability exists in the 'formget' shortcode, which is used to embed a contact form into a WordPress post or a page. By exploiting this Stored XSS vulnerability, an attacker with contributor or higher level of permissions can potentially inject a malicious script through the shortcode's parameters. When a victim accesses the page containing the malicious script, it will be executed in the victim's browser, potentially leading to various security risks.

The following code snippet demonstrates the exploit

formget formCode='">' onload='alert("XSS")'></form><iframe src='http://example.com/yourformcode'>;

In the example above, an attacker includes an onload event in the formCode parameter, which triggers an alert displaying "XSS" when the page is loaded. This example demonstrates the potential for arbitrary script insertion in the shortcode.

Mitigation

To mitigate this issue, it's crucial for website administrators to update the Contact Form by FormGet plugin to version 5.5.6 or higher, which has addressed the vulnerability. Additionally, implementing proper input sanitization and output escaping in your own code is always a best practice to ensure that user inputs are treated safely and securely.

References

1. [CVE-2023-5125 - National Vulnerability Database
2. Securing your WordPress Contact Forms

Conclusion

In conclusion, the Contact Form by FormGet plugin contained a Stored XSS vulnerability, which granted authenticated attackers the ability to inject arbitrary web scripts that would execute upon accessing an injected page. This vulnerability has been patched in version 5.5.6 of the plugin and website administrators should ensure that they have updated to the latest version to protect against this exploit.

Timeline

Published on: 09/23/2023 05:15:31 UTC
Last modified on: 11/07/2023 04:23:28 UTC