Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Forminator
The plugin Forminator was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 40,000+ installs, so we were alerted to its closure. When we went to check on the plugin to see if we should be warning users of the plugin that also use our service of anything, we found that it had been updated, re-opened, and the changelog for that version reads “Security Fix: Patch authenticated stored XSS”. Based on that and the changes made in that version we found that it appears that refers to sanitizing the values of various fields when creating fields in its forms. By default only Administrators, who have the unfiltered_html capability, which gives them the capability to do the equivalent of cross-site scripting (XSS), have the ability to access those. The plugin is only partially designed to allow lower level users to have access to the plugin’s admin functionally, so it appears that this would only be a vulnerability if a website had a role that could edit those forms, but didn’t have the unfiltered_html capability.
...
This post provides insights on a vulnerability in a WordPress plugin not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so the rest of its contents are limited to subscribers of our service.
If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the rest of the details of the vulnerability.
For existing customers, please log in to your account to view the contents of the post.