Skip to content

Instantly share code, notes, and snippets.

@Xib3rR4dAr

Xib3rR4dAr/avada_7.11.6_contributor_xss.md Secret

Created March 2, 2024 18:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Xib3rR4dAr/ebb7e1dee2b073b8a478c2f663521b30 to your computer and use it in GitHub Desktop.
Save Xib3rR4dAr/ebb7e1dee2b073b8a478c2f663521b30 to your computer and use it in GitHub Desktop.
Download ZIP
Avada <= 7.11.6 Contributor+ Stored XSS (on form submission)
Raw
avada_7.11.6_contributor_xss.md

Avada <= 7.11.6 Contributor+ Stored XSS (on form submission)

Exploit Author: Muhammad Zeeshan (Xib3rR4dAr)

Description

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Stored Cross-Site Scripting via redirect url in versions up to, and including, 7.11.6 due to insufficient input sanitization and output escaping on user supplied input. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user submits the malicious form. By exploiting XSS attacker can perform actions on behalf of other users like create new backdoor admin account when admin views the form. Redirect url parameter can be set to contain javascript protocol which would allow execution of custom JS when form is submitted.

Steps from Author:

  1. Login as author
  2. Visit http://example.com/wp-admin/admin.php?page=avada-forms
  3. Enter any name for form and click "Create New Form"
  4. In editor, "Text" tab would already be selected, if not then click "Text" tab and paste:
[fusion_form_submit]Click here to view content[/fusion_form_submit]
  1. Click "Confirmation" tab at bottom
  2. Change form confirmation type from "Display Message" to "Redirect to URL"
  3. Set "Redirect URL" to javascript:alert('XSS')
  4. Click "Update" and notice form id from URL (post={form_id})
  5. Visit http://example.com/wp-admin/post-new.php to create a new post
  6. Enter any title for post
  7. In editor, "Text" tab would already be selected, if not then click "Text" tab and paste (replace form_post_id value with created form):
[fusion_form form_post_id="123" /]
  1. Click "Publish"
  2. Visit permalink of form shown below the title
  3. XSS will trigger now when any user who visits the form and submits the form by clicking "Click here to view content"

Issue can also be exploited by contributor user but would require high privileged user to approve the form and post.

Detection

Endpoint: /wp-admin/post.php
Parameter _fusion[redirect_url] contains javascript protocol e.g _fusion[redirect_url]=javascript:alert('XSS')

Fix

Validate and sanitize protocol before redirecting a user

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment