Back to all zero days

Reflected XSS in Fast Secure Contact Form

Affected Vendor

Fast Secure

Status

Fixed

Date

7th Sep, 2015

High Severity

Description

A Cross-Site Scripting vulnerability was identified in WordPress plugin Fast Secure Contact Form before 4.0.37 in fs_contact_form1[welcome].  

Proof of concept: (POC)

Visit the following page on a site with this plugin installed.

http://yourwordpresssite.com/wordpress/wpadmin/plugins.php?page=sicontactform%2Fsi-contact-form.php&fscf_form=1&fscf_tab=1 and modify the value of fs_contact_form1[welcome] variable with <script>alert(document.cookie);</script> payload and send the request to the server. Now, the added XSS payload is echoed back from the server without validating the input whenever we visit the script stored page.

Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to the wp-config.php file.

define( 'DISALLOW_UNFILTERED_HTML', true );

Issue: POST request parameter fs_contact_form1[welcome] variable in the given URL http://yourwordpresssite.com/wordpress/wpadmin/plugins.php?page=sicontactform%2Fsi-contact-form.php&fscf_form=1&fscf_tab=1 of Fast Secure Contact Form 4.0.37 is vulnerable to Cross-Site Scripting (XSS).

Figure 01: http://yourwordpresssite.com/wordpress/wp-admin/plugins.php?page=si-contact-form%2Fsi-contact-form.php&fscf_form=1&fscf_tab=1

Figure 02: XSS Payload is executed in the browser whenever the user views it.

Impact

An attacker can inject malicious code into the applications via a vulnerable variable. 

Remediations

Download the latest updated version of the Nextgen plugin and apply the patch as per vendor advisory.

Timeline

Sep 05, 2015: Discovered in Fast Secure Contact Form plugin 4.0.37 Version.
Sep 07, 2015: Reported to WP Plugin.

Sep 07, 2015: WP acknowledged the issue.

Sep 08, 2015: Fixed in 4.0.38 version of Fast Secure Contact Form plugin.

Discovered by

Cyber Security Works Pvt. Ltd

 


  • Affected VendorFast Secure
  • Bug NameReflected XSS
  • CVE NumberCVE-2015-9539
  • CWE IDCWE - 79
  • CSW ID2015-CSW-09-1007
  • CVSSv3 Score4.8
  • Affected Version4.0.37
  • SeverityHigh
  • Affected ProductFast Secure Contact Form
fb icon twitter icon insta icon

Do your applications use this vulnerable package?