weForms WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the weForms plugin for WordPress, affecting all versions up to and including 1.6.27. The issue arises from inconsistent input sanitization between the frontend AJAX handler and the REST API entry submission endpoint. When form entries are submitted via the REST API, the 'prepare_entry()' method processes the data without applying proper sanitization, allowing authenticated attackers with Subscriber-level access and above to inject arbitrary scripts into hidden field values. These scripts are executed when an administrator views the form entries page, where the data is rendered using a Vue.js directive that does not escape HTML.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the entries.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can submit a form entry through the REST API endpoint '/wp-json/weforms/v1/forms/{id}/entries/'. The 'prepare_entry()' method will process the entry without proper sanitization, especially if the submission includes a hidden field. Once the entry is submitted, an administrator can view the form entries, triggering the execution of the injected script.

Remediation

Users can update to weForms version 1.6.28 or later, where this vulnerability has been patched.