Exploit Author: Muhammad Zeeshan (Xib3rR4dAr)
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Stored Cross-Site Scripting via redirect url in versions up to, and including, 7.11.6 due to insufficient input sanitization and output escaping on user supplied input. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user submits the malicious form. By exploiting XSS attacker can perform actions on behalf of other users like create new backdoor admin account when admin views the form. Redirect url parameter can be set to contain javascript protocol which would allow execution of custom JS when form is submitted.
Steps from Author:
- Login as author
- Visit http://example.com/wp-admin/admin.php?page=avada-forms
- Enter any name for form and click "Create New Form"
- In editor, "Text" tab would already be selected, if not then click "Text" tab and paste:
[fusion_form_submit]Click here to view content[/fusion_form_submit]
- Click "Confirmation" tab at bottom
- Change form confirmation type from "Display Message" to "Redirect to URL"
- Set "Redirect URL" to
javascript:alert('XSS')
- Click "Update" and notice form id from URL (post={form_id})
- Visit http://example.com/wp-admin/post-new.php to create a new post
- Enter any title for post
- In editor, "Text" tab would already be selected, if not then click "Text" tab and paste (replace form_post_id value with created form):
[fusion_form form_post_id="123" /]
- Click "Publish"
- Visit permalink of form shown below the title
- XSS will trigger now when any user who visits the form and submits the form by clicking "Click here to view content"
Issue can also be exploited by contributor user but would require high privileged user to approve the form and post.
Endpoint: /wp-admin/post.php
Parameter _fusion[redirect_url]
contains javascript
protocol e.g _fusion[redirect_url]=javascript:alert('XSS')
Validate and sanitize protocol before redirecting a user