While auditing the WordPress plugin Caldera Forms, we discovered an authenticated XSS vulnerability.
This plugin currently has more than 80,000 active installs.
About the Plugin
Per its WordPress.org description, Caldera Forms “is a free and powerful WordPress plugin that creates responsive forms with a simple drag and drop editor.”
The XSS vulnerability is caused by this unescaped parameter in ui/edit.php:102:
Proof of Concept
To demonstrate the attack for versions 1.5.3-4, navigate to the url:
In versions prior to 1.5.3, a valid form ID (trivially found on the frontend) is required; the injected XSS must also begin inside an HTML tag, since content inside HTML tags is removed by sanitize_text_field() when matching the form ID:
- August 7th 2017 – Vulnerability identified
- August 8th 2017 – Notified developer of vulnerability in versions 1.5.3 and 1.5.4
- August 8th 2017 – Received confirmation from developer
- August 8th 2017 – Notified developer that vulnerability is also exploitable in versions < 1.5.3
- August 17th 2017 – Patch released