CVE-2022-23179 - Cross-Site Scripting Vulnerability in Contact Form & Lead Form Elementor Builder WordPress Plugin Prior to 1.7.

In this long read, we will discuss a recently uncovered vulnerability, CVE-2022-23179, affecting the Contact Form & Lead Form Elementor Builder WordPress plugin. Before its 1.7. version, the plugin does not escape some of its form fields before outputting them in attributes. Consequently, high-privilege users can perform Cross-Site Scripting (XSS) attacks, even when the unfiltered_html capability is disallowed.

We will provide detailed insights into the issue, including code snippets, links to original references, and specific exploit navigation.

Background

Contact Form & Lead Form Elementor Builder is a popular WordPress plugin used to create and manage forms and lead generation on WordPress sites built with the Elementor website builder. However, the unescaped form fields pave the way for possible XSS attacks by high privilege users on the website.

Details on the Vulnerability - CVE-2022-23179

CVE-2022-23179 is a stored XSS vulnerability present in the Contact Form & Lead Form Elementor Builder plugin, allowing high-privileged users like administrators, editors, and authors to add malicious payloads in various form fields that propagate to attributes without being escaped. Such attacks can lead to unauthorized access, data breaches, and total website compromise.

The official reference can be found on the CVE website, and details about the affected plugin versions are available on the WordPress plugin page.

Code Snippet

Here is a code snippet from the vulnerable plugin file, where the form fields are not escaping properly:

// File: /plugins/contact-forms-builder-elementor/includes/widgets/contact_forms_builder_elementor_widget.php
function render_plain_content() {
    // ...
    $form_id = 'form_id="' . $this->get_settings('form_id') . '"';
    $form_action = 'form_action="' . $this->get_settings('form_action') . '"';
    // ...               
}

In this code snippet, the $form_id and $form_action are derived from the get_settings() function without escaping. As a result, an attacker could inject malicious data, causing an XSS vulnerability.

Exploit Details

To exploit this vulnerability, a high-privileged user, such as an administrator, editor, or author, can manipulate the plugin's form settings and insert malicious JavaScript payloads, leading to stored XSS attacks.

Add a new form or tamper with an existing one.

3. Enter the JavaScript payload (e.g., <script>alert('XSS')</script>) into vulnerable fields like Form ID or Form Action.

Save the form and publish or update the page.

Whenever a low-privileged user accesses the modified form, the malicious payload will be executed, affecting the victim's browser and security.

Recommendations

The vulnerability has been addressed in the Contact Form & Lead Form Elementor Builder plugin version 1.7.. Upgrading to the latest version is highly recommended to avoid susceptibility to the XSS attack. Furthermore, restricting high-privileged user roles to trusted individuals can mitigate the risk of exploitation.

Conclusion

CVE-2022-23179 is a critical stored XSS vulnerability found in the Contact Form & Lead Form Elementor Builder WordPress plugin versions before 1.7.. This comprehensive report on this security issue covers code snippets, original reference links, and exploit details, highlighting why it is vital to keep plugins and themes updated to safeguard your WordPress website.

Timeline

Published on: 01/16/2024 16:15:09 UTC
Last modified on: 01/23/2024 20:42:27 UTC