------------------------------------------------------------------------ Reflected Cross-Site Scripting in FormBuilder WordPress Plugin ------------------------------------------------------------------------ Burak Kelebek, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A reflected Cross-Site Scripting vulnerability has been found in the FormBuilder [2] WordPress plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160724-0006 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on FormBuilder [2] version 1.05 ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ A fix for this issue is currently not available. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ The FormBuilder [2] WordPress plugin allows you to build contact forms in the WordPress administrative interface without needing to know PHP or HTML. A reflected Cross-Site Scripting vulnerability has been found in the FormBuilder WordPress plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ This issue exists due to the fact that neither the fbmsg or the formSearchQuery field in the tools.php file validates n edit it here - http:///wp-admin/tools.php?page=formbuilder.php&fbaction=formResults&formSearchQuery="> ------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] https://sumofpwn.nl/advisory/2016/reflected_cross_site_scripting_in_formbuilder_wordpress_plugin.html [2] https://wordpress.org/plugins/formbuilder/