Exploit Author: Muhammad Zeeshan (Xib3rR4dAr)
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Stored Cross-Site Scripting via fusion_form_submit shortcode in versions up to, and including, 7.11.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
While creating a button, Avada allows to add attributes to a button, which can be exploited to perform XSS. By exploiting XSS attacker can perform actions on behalf of other users like create new backdoor admin account when admin views the form.
- Login as contributor user
- Visit http://127.0.0.1/wp-admin/admin.php?page=avada-forms
- Enter any name for form and click "Create New Form"
- In editor, "Text" tab would already be selected, if not then click "Text" tab and paste:
[fusion_form_submit link_attributes="autofocus onfocus=eval(atob("YWxlcnQoJ1hTUycpOw"))"]Submit[/fusion_form_submit]- Click "Submit for Review"
- Logout from contributor user
- Login as administrator user
- View form created by user by visiting http://192.168.253.1/wp-admin/admin.php?page=avada-forms
- Clicking "Live Builder" for the form created by contributor user will trigger XSS without further interaction.
Author and other users can also publish a form having XSS in shortcode and then link to a post then XSS will trigger when any visiting user visits the post.