-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# Security Advisory

ARA-2020-001: Insufficient sanitization of WPForms

## Affected Product(s) and Environment(s)

Product: WPForms lite (WPForms, LLC), all Versions <= 1.5.9.5 (as at
22nd March 2020)
Environments: All browsers and operating systems

## Security Risk

Severity: High
Vulnerability Type:
CVSS v3: 8.2
## Impact
Confidentiality: Low
Integrity: High
Availability: None
## Exploitability
Access Vector: Network
Access Complexity: Low
Privileges Required: None
User Interaction: None
## Scope
Scope: Unchanged


## Remediation Level

Currently unavailable, awaiting manufacturer's response.


## Timeline

2020-03-22: Vendor notification
2020-03-24: Vendor response
2020-04-15: Vendor released fixed version 1.6.0.1
2020-05-06: Public disclosure within 45 days of initial vendor notificiation


## Description Summary

A form created by the WordPress plugin WPForms does not sufficiently
sanitize or escape inserted html tags before sending an e-mail to the
predefined reciepients or processing the form content otherwise.

## Product Introduction:

"Our easy drag & drop WordPress form builder allows you to create
contact forms, online surveys, donation forms, order forms and other
WordPress forms in just a few minutes without writing any code."
[WPForms Website](https://wpforms.com/)

## Technical Description

Inserting a message into a WPForms text box will send an email to a
predefined reciepient. If this message contains html code wrapped in
outer html tags the sent mail still contains the inner html code. The
sanitization of WPForms removes only the outer html tags and does not
remove inner html tags.

### Proof of Concept (PoC)

Inserting the following snippet in the text area of the contact form
will cause WPForms to send an email to the contact person including
functional html code. An attacker could use this behavior to include a
phishing link (for example "Click here to answer" or similar) into the
email to get credentials of the predefined contact person.

### Payload

Hello WPForms-Team,

your plugin tries to sanitize HTML-Strings, although it is still be
possible to inject HTML an other stuff, which is sent to recipients.

A <a href="https://aram<a href="https://aramido.de">ido.de">link</</a>a>
<b<br>r>
An image:<<br>br>
<img src="https://aramido<img
src="https://aramido.de/img/aramido-logo.png"
style="width:2style="width:200px"00px">.de/img/aramido-logo.png">

### Received email source code

<tr>
<td style="color:#555555;padding-top: 3px;padding-bottom: 20px;">Hello
WPForms-Team,</p>
<p>your plugin tries to sanitize HTML-Strings, although it is still be
possible to inject HTML an other stuff, which is sent to recipients.</p>
<p>A <a href="https://aramido.de">link</a><br />
<br />
An image:<br />
<img src="https://aramido.de/img/aramido-logo.png"></td>
</tr>

## Solution

Instead of sanitizing once using the sanitize_text_field, this function
could be imlemented in a recursive loop until there is no change of the
message.
In case of allowed html tags, the form could use a correct escaping
before sending an email to prevent an attacker to use html.


## References

[aramido responsible disclosure
policy](https://aramido.de/blog/Sicherheitshinweise)


## Authors

Andreas Sperber, aramido GmbH
E-mail: andreas.sperber@aramido.de
PGP-Key: https://aramido.de/andreas.sperber.asc
PGP-Fingerprint: FC84 BB4D 696D F04C E1A1  2BED 7518 A24A 06B9 BEA7

Benjamin Pokrant, aramido GmbH
E-mail: benjamin.pokrant@aramido.de
PGP-Key: https://aramido.de/benjamin.pokrant.asc
PGP-Fingerprint: 2993 0EE2 3A41 86E1 9C97  72F4 24E2 4AE1 403E 1651


## Disclaimer

The information provided in this advisory is provided "as is" without
any warranty. Details of this security advisory may be updated in order
to provide as accurate information as possible. The latest version of
this security advisory is available on the aramido web site. aramido
GmbH disclaims all warranties, either expressed or implied, including
the warranties of merchantability and capability for a particular
purpose. aramido GmbH or its suppliers are not liable in any case of
damage, including direct, indirect, incidental, consequential loss of
business profits or special damages, even if aramido GmbH or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases or trade with
fraud/stolen material.


## Copyright

CC-BY-4.0
http://creativecommons.org/licenses/by/4.0/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEPW1SqILXQdSB6cMt8r3/fQu+GBMFAl6yq3AACgkQ8r3/fQu+
GBOMbw//ebCiiNqNjnpuC7BO73jB+ZMiLSsLvbTjSEPBEPlL+BPUuxzJShKpWpis
QXMQuDEnqh+K4bPiN50LzW/cgCb92RIgN2QER/6T9XbJAeSCHRPSm+OgFzG+XIv1
HY/lLbEF+ZVYzcJ+VXf/yYfPtVSXd5c/vPooZqCGkBNMjYBxXRHUMp5u3dachrXr
zs0ukBqKWkgakF94e2zK0E68HagAztTz4gsV5O102NBnVDWq3Z1LqulweVyIWVSk
BzvC+U8CRqGwN/v7Rs+UFJ5IQdgvswplA2Wy68A2xElvLo6IlbSytetRJSK7iORx
9W3wTP4XA/BCoGCiMKtpyoAvkW0rZn+Yk9J3xiOpG23+Ge950OnXUrkZRkUq/aVb
KObFJIKzZtMHFtyrE1K43mK1VS+sRYH4GhC0T1DOnclGp6bd3FL2E2aBlKGxldym
zohZ4wCvcQnhG/4P7+NcPQEdOAc3hbVxaY4A9PeVpwYf/U4JwmTSd8TDYBSVSrkx
GAOF/KECuDj+KXm/5LyiVsZVZdCrt6IA7zcJIZnbCFDClh9RmMTulTUmXY4Edge9
DMhpHJCFPKfRVfRQTwuTAnkJIhkwJFpluTm5KJOtKGRKzUPgL8XNGKz8MuEew8ge
eIKZk/gjuYm8l7pYUd3C1NP0JhLi8J3Sy5bNzzrMBImTir2jBeM=
=2pFl
-----END PGP SIGNATURE-----