Formwork CMS Stored Cross-Site Scripting Vulnerability in Blog Tags

A stored cross-site scripting vulnerability has been identified in Formwork CMS versions prior to 2.2.0. The issue arises from the blog tag field, where unsanitized data can be inserted, leading to the execution of attacker-controlled scripts in the browser of any user with CMS credentials who accesses or edits the affected blog post. This vulnerability is persistent and disrupts administrative workflows by causing the injected script to execute whenever an attempt is made to remove the malicious tag, effectively locking the user out of managing standard tags.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user editing the blog post.

Reproduction

To reproduce this vulnerability, log into Formwork CMS and navigate to the blog tag field. Insert a tag containing unsanitized data, such as a script payload. Once the tag is saved, it cannot be removed without triggering the XSS payload again. This can be done by accessing the 'Pages' section and selecting a page that uses the 'Blog Post' template. After the malicious tag is inserted and saved, the XSS will execute, demonstrating the vulnerability.

Remediation

Users can update to Formwork CMS version 2.2.0 or later, where this vulnerability has been patched.