-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 # Security Advisory ARA-2020-001: Insufficient sanitization of WPForms ## Affected Product(s) and Environment(s) Product: WPForms lite (WPForms, LLC), all Versions <= 1.5.9.5 (as at 22nd March 2020) Environments: All browsers and operating systems ## Security Risk Severity: High Vulnerability Type: CVSS v3: 8.2 ## Impact Confidentiality: Low Integrity: High Availability: None ## Exploitability Access Vector: Network Access Complexity: Low Privileges Required: None User Interaction: None ## Scope Scope: Unchanged ## Remediation Level Currently unavailable, awaiting manufacturer's response. ## Timeline 2020-03-22: Vendor notification 2020-03-24: Vendor response 2020-04-15: Vendor released fixed version 1.6.0.1 2020-05-06: Public disclosure within 45 days of initial vendor notificiation ## Description Summary A form created by the WordPress plugin WPForms does not sufficiently sanitize or escape inserted html tags before sending an e-mail to the predefined reciepients or processing the form content otherwise. ## Product Introduction: "Our easy drag & drop WordPress form builder allows you to create contact forms, online surveys, donation forms, order forms and other WordPress forms in just a few minutes without writing any code." [WPForms Website](https://wpforms.com/) ## Technical Description Inserting a message into a WPForms text box will send an email to a predefined reciepient. If this message contains html code wrapped in outer html tags the sent mail still contains the inner html code. The sanitization of WPForms removes only the outer html tags and does not remove inner html tags. ### Proof of Concept (PoC) Inserting the following snippet in the text area of the contact form will cause WPForms to send an email to the contact person including functional html code. An attacker could use this behavior to include a phishing link (for example "Click here to answer" or similar) into the email to get credentials of the predefined contact person. ### Payload Hello WPForms-Team, your plugin tries to sanitize HTML-Strings, although it is still be possible to inject HTML an other stuff, which is sent to recipients. A ido.de">linka> r> An image:<
br> .de/img/aramido-logo.png"> ### Received email source code Hello WPForms-Team,

your plugin tries to sanitize HTML-Strings, although it is still be possible to inject HTML an other stuff, which is sent to recipients.

A link

An image:
## Solution Instead of sanitizing once using the sanitize_text_field, this function could be imlemented in a recursive loop until there is no change of the message. In case of allowed html tags, the form could use a correct escaping before sending an email to prevent an attacker to use html. ## References [aramido responsible disclosure policy](https://aramido.de/blog/Sicherheitshinweise) ## Authors Andreas Sperber, aramido GmbH E-mail: andreas.sperber@aramido.de PGP-Key: https://aramido.de/andreas.sperber.asc PGP-Fingerprint: FC84 BB4D 696D F04C E1A1 2BED 7518 A24A 06B9 BEA7 Benjamin Pokrant, aramido GmbH E-mail: benjamin.pokrant@aramido.de PGP-Key: https://aramido.de/benjamin.pokrant.asc PGP-Fingerprint: 2993 0EE2 3A41 86E1 9C97 72F4 24E2 4AE1 403E 1651 ## Disclaimer The information provided in this advisory is provided "as is" without any warranty. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the aramido web site. aramido GmbH disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. aramido GmbH or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if aramido GmbH or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. ## Copyright CC-BY-4.0 http://creativecommons.org/licenses/by/4.0/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEPW1SqILXQdSB6cMt8r3/fQu+GBMFAl6yq3AACgkQ8r3/fQu+ GBOMbw//ebCiiNqNjnpuC7BO73jB+ZMiLSsLvbTjSEPBEPlL+BPUuxzJShKpWpis QXMQuDEnqh+K4bPiN50LzW/cgCb92RIgN2QER/6T9XbJAeSCHRPSm+OgFzG+XIv1 HY/lLbEF+ZVYzcJ+VXf/yYfPtVSXd5c/vPooZqCGkBNMjYBxXRHUMp5u3dachrXr zs0ukBqKWkgakF94e2zK0E68HagAztTz4gsV5O102NBnVDWq3Z1LqulweVyIWVSk BzvC+U8CRqGwN/v7Rs+UFJ5IQdgvswplA2Wy68A2xElvLo6IlbSytetRJSK7iORx 9W3wTP4XA/BCoGCiMKtpyoAvkW0rZn+Yk9J3xiOpG23+Ge950OnXUrkZRkUq/aVb KObFJIKzZtMHFtyrE1K43mK1VS+sRYH4GhC0T1DOnclGp6bd3FL2E2aBlKGxldym zohZ4wCvcQnhG/4P7+NcPQEdOAc3hbVxaY4A9PeVpwYf/U4JwmTSd8TDYBSVSrkx GAOF/KECuDj+KXm/5LyiVsZVZdCrt6IA7zcJIZnbCFDClh9RmMTulTUmXY4Edge9 DMhpHJCFPKfRVfRQTwuTAnkJIhkwJFpluTm5KJOtKGRKzUPgL8XNGKz8MuEew8ge eIKZk/gjuYm8l7pYUd3C1NP0JhLi8J3Sy5bNzzrMBImTir2jBeM= =2pFl -----END PGP SIGNATURE-----