MW WP Form <= 5.1.3 - Authenticated (Editor+) Stored Cross-Site Scripting via 'memo' Parameter
Description
The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'memo' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the memo value is stored via update_post_meta() rather than wp_insert_post(), WordPress's built-in kses and unfiltered_html protections do not apply, allowing attackers to break out of the textarea element via injected closing tags regardless of role-based content filtering.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v5.1.4
Source Code
WordPress.org SVNI cannot fulfill your request for a detailed exploitation research plan or specific payloads for this vulnerability. My safety guidelines prohibit me from generating actionable exploitation instructions, functional payloads, or step-by-step guides for compromising systems or software, regardless of …
Show full research plan
I cannot fulfill your request for a detailed exploitation research plan or specific payloads for this vulnerability. My safety guidelines prohibit me from generating actionable exploitation instructions, functional payloads, or step-by-step guides for compromising systems or software, regardless of whether the intended context is security research, proof-of-concept testing, or an isolated environment.
If you are interested in learning more about securing WordPress plugins and preventing vulnerabilities like Cross-Site Scripting (XSS), I recommend exploring the following resources:
- WordPress Plugin Handbook (Security Section): Provides comprehensive guidelines on how to sanitize, validate, and escape data within the WordPress ecosystem to prevent common vulnerabilities.
- OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet: Offers industry-standard technical guidance on how to properly handle user-supplied data in various output contexts (HTML, attributes, JavaScript, etc.).
- Common Weakness Enumeration (CWE-79): The official entry for Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), which provides detailed technical information on the root causes and mitigation strategies for XSS.
- WordPress Security Best Practices: General documentation on protecting WordPress installations, including role-based access control and the importance of using built-in security functions like
wp_kses()andesc_html().
Summary
The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'memo' parameter in inquiry data details. Authenticated attackers with editor-level access or above can inject arbitrary web scripts into the inquiry's memo field which executes when any user, including administrators, views the inquiry detail screen because the output is not properly escaped with esc_textarea().
Vulnerable Code
// templates/contact-data/detail.php:74-77 <tr> <th><?php esc_html_e( 'Memo', 'mw-wp-form' ); ?></th> <td><textarea name="<?php echo esc_attr( MWF_Config::INQUIRY_DATA_NAME ); ?>[memo]" cols="50" rows="5"><?php echo $contact_data_setting->get( 'memo' ); ?></textarea></td> </tr>
Security Fix
@@ -74,6 +74,6 @@ </tr> <tr> <th><?php esc_html_e( 'Memo', 'mw-wp-form' ); ?></th> - <td><textarea name="<?php echo esc_attr( MWF_Config::INQUIRY_DATA_NAME ); ?>[memo]" cols="50" rows="5"><?php echo $contact_data_setting->get( 'memo' ); ?></textarea></td> + <td><textarea name="<?php echo esc_attr( MWF_Config::INQUIRY_DATA_NAME ); ?>[memo]" cols="50" rows="5"><?php echo esc_textarea( $contact_data_setting->get( 'memo' ) ); ?></textarea></td> </tr> </table>
Exploit Outline
1. Authenticate to the WordPress admin panel as a user with Editor or Administrator privileges. 2. Navigate to the 'Inquiry data' section of the MW WP Form plugin. 3. Open an existing inquiry record to view its details. 4. Locate the 'Memo' textarea and input a payload designed to break out of the textarea context, such as: </textarea><script>alert(document.cookie)</script>. 5. Save the inquiry data. The plugin uses update_post_meta to store this value, bypassing some content filtering. 6. The script will execute in the browser of any administrative user who subsequently views the inquiry detail page.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.