Back to all zero days
Reflected XSS in ZOHO CRM Lead Magnet
14th Oct, 2019
A vulnerability was discovered on WordPress plugin ZOHO CRM Lead Magnet 22.214.171.124. An input variable vulnerable to XSS are ‘Module,’ ‘EditShortcode,’ and ‘LayoutName’ in the Zoho CRM form creation page. A vulnerability allows an attacker to inject malicious code into the WordPress plugin ZOHO CRM Lead magnet by providing XSS payload as a value for vulnerable variables.
Proof of concept: (POC)
Issue 1: By exploiting Cross-site scripting vulnerability, an attacker can quickly access the user’s session by stealing cookies and exploiting the user browser.
- Log in to the application.
- Install the Zoho CRM Lead Magnet Plugin.
Figure 01: Zoho CRM Lead Magnet.
- Configure the client ID and secret key.
Figure 02: Client key and secret id are filled in Authenticating Zoho CRM Plugin.
2. Click on the Create New Form button and fill the values and click on the Next button.
Figure 03: New form in Zoho CRM Plugin.
3. Add the payload <img src=x onerror=alert(document.cookie)> to the vulnerable parameters by intercepting the request in a proxy tool.
Figure 04: Request with XSS payload sent to the server.
Figure 05: Request and response captured in the proxy.
3. Injected XSS payload is successfully executed when the user visits or reloads the page.
Figure 07: The WordPress application runs on version 5.2.3.
Figure 08: The WordPress Zoho CRM Lead Magnet Plugin Version: 126.96.36.199.
Figure 09: The default cross-site scripting mitigation setting in wp.config file to prevent Cross-Site Scripting attacks.
An attacker can inject malicious codes into a request and the server returns the script to the client in the response using a crafted URL to reflect cross-site scripting (XSS) in a lead magnet of WordPress plugin CRM lead magnet pages.
Download the latest version and apply relevant patches advised as per vendor.
Oct 13, 2019: Discovered in WordPress (Zoho CRM Lead Magnet Plugin) Product.
Oct 14, 2019: Reported to WordPress plugin team.
Oct 15, 2019: WordPress plugin team acknowledged the report.
Oct 15, 2019: The issue acknowledged and fixed immediately.
Cyber Security Works Pvt. Ltd.
- Affected VendorZoho
- Bug NameReflected Cross-Site Scripting (XSS)
- CVE NumberCVE-2019-19306
- CWE IDCWE - 79
- CSW ID2019-CSW-03-1026
- CVSSv3 Score5.4
- Affected Version188.8.131.52
- Affected ProductLead Magnet