WordPress Ninja Forms 2.9.21 Cross Site Scripting

Posted on Posted in Exploit

WordPress Ninja Forms plugin version 2.9.21 suffers from a cross site scripting vulnerability.

Title: WordPress 'Ninja Forms' Plugin - XSS
Version: 2.9.21
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/07/14
Download: https://wordpress.org/plugins/ninja-forms/
Contacted authors: 2015/07/14

## Description: 
Forms created with a simple drag and drop interface. Contact forms, Email collection forms, or any other form you want on your WordPress site.

## Reflected XSS:
Certain parameters are used unsanitized in the admin pages. 

Log in as admin and visit one of the following URLs:


It looks like there are more vulnerabilities, since the plugin has code like this:

file: subs-cpt.php
l.883 if ( isset ( $_REQUEST['ref'] ) ) {
l.884   $ref = $_REQUEST['ref'];
l.885 } else if ( get_transient( 'nf_sub_edit_ref' ) ) {
l.886   $ref = get_transient( 'nf_sub_edit_ref' );
l.887 } else {
l.888   $ref = '';
l.889 }
l.890 ?>
l.891 <input type="hidden" name="ref" value="<?php echo $ref; ?>" />

## Solution
No fix available.

Quelle: Packet storm Security