On July 28, 2018, analysts in Comodo’s cWatch Web Security team discovered a vulnerability in version 1.2.5 of the Wordpress ‘Multiple Stored XSS Form’, which may be used to steal user's personal data. This issue was caused due to improper sanitization, so the values were stored without proper validation or escaping.
While risks are common to any XSS, this vulnerability has stored XSS, most dangerous for users of Mondula Multi Step Form Plugin up to 1.2.5 on WordPress. Users concerned they have been exposed to this vulnerability should upgrade to the latest version of plugin.
More here: https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)
Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Proof of Concept
There are multiple stored and reflected XSS vulnerabilities in file class-mondula-multistep-forms-admin.php in fw_wizard_save action. The reason for this involves unsanitized user input from the following parameters:
Exploiting this vulnerability requires authentication.
Locate Multi step form and enter payload and Save. The values are passed via Ajax → http://localhost/word496/wp-admin/admin-ajax.php
In this case, sanitized values are missing, so the values were stored without proper validation or escaping. Sanitize affected vectors to avoid XSS. Corrected code shown below:
How to protect yourself (before patching):
Comodo Web Application Firewall (CWAF) provides powerful, real-time protection for web applications and websites running on Apache, LiteSpeed and Nginx on Linux. CWAF supports ModSecurity rules, providing advanced filtering, security and intrusion protection.
Why you need it: