Authenticated Reflected XSS in Caldera Forms <= 1.5.4

While auditing the WordPress plugin Caldera Forms, we discovered an authenticated XSS vulnerability.

This plugin currently has more than 80,000 active installs.

About the Plugin

Per its WordPress.org description, Caldera Forms “is a free and powerful WordPress plugin that creates responsive forms with a simple drag and drop editor.”

Vulnerability Description

Version 1.5.4 and earlier of Caldera Forms is vulnerable to a reflected cross-site scripting vulnerability in the “edit” parameter, which is not properly escaped before being printed in an HTML attribute. An attacker can use this to craft URLs that, when clicked, result in malicious JavaScript being executed. Because Caldera Forms uses ‘wp_rest’ nonces to access the WordPress REST API – a common practice among plugin developers – this Javascript may include anything the user is capable of doing in the REST API. Although using the REST API nonce directly is convenient, it’s more secure to use custom activity strings with limited API abilities.

Technical Details

The XSS vulnerability is caused by this unescaped parameter in ui/edit.php:102:

Proof of Concept

To demonstrate the attack for versions 1.5.3-4, navigate to the url:

[site_url]/wp-admin/admin.php?page=caldera-forms&edit="><script>alert(String.fromCharCode(88%2C83%2C83))<%2Fscript>

The JavaScript will be executed, displaying an alert box.

In versions prior to 1.5.3, a valid form ID (trivially found on the frontend) is required; the injected XSS must also begin inside an HTML tag, since content inside HTML tags is removed by sanitize_text_field() when matching the form ID:

[site_url]/wp-admin/admin.php?page=caldera-forms&edit=CF598a16cde8524%3Cimg+url%3D%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

 

Timeline

  • August 7th 2017 – Vulnerability identified
  • August 8th 2017 – Notified developer of vulnerability in versions 1.5.3 and 1.5.4
  • August 8th 2017 – Received confirmation from developer
  • August 8th 2017 – Notified developer that vulnerability is also exploitable in versions < 1.5.3
  • August 17th 2017 – Patch released