During the course of a web application penetration test I was faced with the Ninja Forms WordPress plugin. I found that version 2.8.8 of the Ninja Forms plugin, which was the latest version at the time of undertaking the penetration test, was vulnerable to cross-site scripting.
The vulnerability was found in the success notification message of the contact form, which the Ninja Forms plugin displays in the users’ browser after users successfully submit their details. As an example, the plugin can be configured to only show the username field in the message notification, as can be seen below for username "Pentester":
The cross-site scripting payload is then executed in the notification message when users pass their mouse over the username "TEST", as shown below:
Further to this, I wondered whether or not the vulnerability affected the WordPress admin panel, which may allow an attacker to get access to the admin panel.
Whilst an anonymous user could not target an administrator through the contact form in order to escalate their privileges, I found that the plugin was indeed vulnerable to stored cross-site scripting between WordPress administrators.
If another administrator view the submissions list page, and passes their mouse over the value "Pentest", the script will be executed, as shown below.
The Ninja Forms plugin developers have released a patch to resolve this issue as part of version 2.8.10. More information about the latest version of Ninja Forms WordPress plugin can be found at the following URL: https://wordpress.org/plugins/ninja-forms/