{"id":7495,"date":"2021-10-06T19:25:11","date_gmt":"2021-10-07T02:25:11","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7495"},"modified":"2023-04-05T12:37:46","modified_gmt":"2023-04-05T19:37:46","slug":"securin-discovers-stored-cross-site-scripting-xss-zero-day-vulnerability-in-wordpress-plugin","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/securin-discovers-stored-cross-site-scripting-xss-zero-day-vulnerability-in-wordpress-plugin\/","title":{"rendered":"Securin (previously CSW) Discovers Stored Cross-Site Scripting (XSS) Zero-Day Vulnerability in WordPress Plugin"},"content":{"rendered":"

A Cross-Site Scripting (XSS) attack is of major concern to the cybersecurity world, especially web applications because it can allow attackers to gain control of user\u2019s accounts and steal their personally identifiable information, other than login credentials. CSW researchers found one such medium severity vulnerability recently in Zoho CRM Lead Magnet.<\/strong><\/p>\n

Description<\/strong><\/h2>\n

CSW researchers have discovered a Cross-Site Scripting (XSS) vulnerability in Zoho CRM Lead Magnet Version 1.7.2.4.\u00a0<\/strong><\/p>\n

A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user\u2019s browser while the browser is connected to a trusted website.<\/p>\n

\n

The discovered vulnerability targets the application’s users and not the application itself, and uses the user\u2019s application as the attack vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4.<\/strong><\/p>\n<\/blockquote>\n

 <\/p>\n

Vulnerability at a Glance<\/strong><\/h2>\n\n\n\n\n\n\n\n\n\n\n
\u00a0CVE Number<\/strong><\/td>\n\u00a0CVE-2021-33849<\/td>\n<\/tr>\n
\u00a0Product Name<\/strong><\/td>\n\u00a0Zoho CRM Lead Magnet Plugin<\/td>\n<\/tr>\n
\u00a0Affected Version\u00a0<\/strong><\/td>\n\u00a0Version 1.7.2.4<\/td>\n<\/tr>\n
\u00a0Severity<\/strong><\/td>\n\u00a0Medium<\/td>\n<\/tr>\n
\u00a0Vendor<\/strong><\/td>\n\u00a0WordPress 5.8<\/a><\/td>\n<\/tr>\n
\u00a0CWE ID<\/strong><\/td>\n\u00a0CWE-79: Improper Neutralization of Input During Web Page Generation<\/td>\n<\/tr>\n
\u00a0CVSS Vector<\/strong><\/td>\n\u00a06.1 (CVSS:3.1\/AV:L\/AC:L\/PR:H\/UI:R\/S:U\/C:H\/I:H\/A:L)<\/td>\n<\/tr>\n
CSW ID<\/strong><\/td>\n\u00a02021-CSW-08-1050<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

Proof of Concept<\/strong><\/h2>\n

The following vulnerability was detected in Zoho CRM Lead Magnet Version 1.7.2.4.\u00a0<\/strong><\/p>\n

Issue:<\/strong> Stored Cross-Site Scripting<\/p>\n

Severity: <\/strong>Medium<\/p>\n

Steps to reproduce:<\/strong><\/p>\n

1. Log in to the WordPress application.<\/p>\n

Note: <\/strong>A virtual host (wptest.com) was used to test the application locally.<\/p>\n

2. Install the Zoho CRM Lead Magnet Plugin.<\/p>\n

<\/p>\n

\u00a0Figure 01: Zoho CRM Lead Magnet Version 1.7.2.4<\/em><\/span><\/p>\n

3. Configure the Client ID and Secret Key.<\/p>\n

4. Click the \u2018Create New Form\u2019 button, fill in the values, and then click the \u2018Next\u2019 button.<\/p>\n

<\/p>\n

\u00a0Figure 02: New form in Zoho CRM Plugin<\/span><\/em><\/p>\n

5. Encode the payload <img src=x onerror=alert(document.cookie)><\/em> with a hexadecimal HTML encoder.<\/p>\n

<\/p>\n

Figure 03: Encoding the Payload<\/em><\/span><\/p>\n

6. Enter the encoded payload in the \u2018Form Name\u2019 field (formvalue <\/em>parameter) to update the form. Then, click the arrow button near the \u2018Create a New Form\u2019 heading to go back to the previous page.<\/p>\n

<\/p>\n

\u00a0Figure 04: Entering Encoded XSS Payload in the \u2018form Name\u2019 Field<\/span><\/em><\/p>\n

7. Click on the pencil icon to edit the created form.<\/p>\n

<\/p>\n

Figure 05: Click on the\u00a0 Pencil Icon to Edit the Form<\/em><\/span><\/p>\n

8. Change any form value, such as\u00a0 \u2018Company\u2019 or the \u2018Last Name\u2019.<\/p>\n

<\/p>\n

Figure 06: Modifying Form Fields<\/em><\/span><\/p>\n

<\/p>\n

Figure 07: Injected XSS Payload Executed Displaying An Alert Box With Contents of the User\u2019s Cookies<\/em><\/span><\/p>\n

9. The XSS payload is also executed when the user tries to delete the form.<\/p>\n

<\/p>\n

Figure 08: XSS Payload Executed When the User Tries To Delete the Form\u00a0<\/em><\/span><\/p>\n

Impact<\/strong><\/h2>\n

With cross-site scripting, an attacker can control a script executed in the victim’s browser and then fully compromise that user. An XSS vulnerability enables attacks that are self-contained within the application. This means that an attacker does not need to find an external means of inducing the victim to make a request containing their exploit. Rather, the attacker can insert the exploit into the application and simply wait for users to encounter it.<\/p>\n

A cross-site scripting attack results in the following:<\/p>\n