The following vulnerability was detected in Zoho CRM Lead Magnet Version 1.7.2.4
Issue: Stored Cross-Site Scripting.
Steps to Reproduce:
1. Log in to the WordPress application.
Note: A virtual host (wptest.com) was used to test the application locally.
2. Install the Zoho CRM Lead Magnet Plugin.
![](/wp-content/uploads/2021/09/Picture1.png)
Figure 01: Zoho CRM Lead Magnet Version 1.7.2.4
3. Configure the Client ID and Secret Key.
4. Click the ‘Create New Form’ button, fill the values, and then click the ‘Next’ button.
![](/wp-content/uploads/2021/09/Picture2.png)
Figure 02: New form in Zoho CRM Plugin
5. Encode the payload <img src=x onerror=alert(document.cookie)> with a hexadecimal HTML encoder.
![](/wp-content/uploads/2021/09/Picture3.png)
Figure 03: Encoding the Payload
6. Enter the encoded payload in the ‘Form Name’ field (formvalue parameter) to update the form. Then, click the arrow button near the ‘Create a New Form’ heading to go back to the previous page.
![](/wp-content/uploads/2021/09/Picture4.png)
Figure 04: Entering Encoded Xss Payload In The ‘form Name’ Field
7. Click on the pencil icon to edit the created form.
![](/wp-content/uploads/2021/09/Picture5.png)
Figure 05: Click on the Pencil Icon to Edit the Form
8. Change any form value, such as ‘Company’ or the ‘Last Name’.
![](/wp-content/uploads/2021/09/Picture6.png)
Figure 06: Modifying Form Fields
![](/wp-content/uploads/2021/09/Picture7.png)
Figure 07: Injected XSS Payload Executed Displaying An Alert Box With Contents of the User’s Cookies
9. The XSS payload is also executed when the user tries to delete the form.
![](/wp-content/uploads/2021/09/Picture8.png)
Figure 08: XSS Payload Executed When the User Tries To Delete the Form