During a security research I found an authenticated Stored XSS vulnerability. The name of the plugin is: WordPress Ninja Forms Contact Form plugin, the version of the affected plugin: < 3.6.9
Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Asif Nawaz Minhas (Patchstack Alliance) in WordPress Ninja Forms Contact Form plugin (versions <= 3.6.9).
on the left column clicked on Ninja Forms > Dashboard. Here I see a shortcode, in this case the shortcode is: [ninja_form id=1] Created a new page with the shortcode: [ninja_form id=1] and published the page. Now go back to Ninja Forms > Dashboard. Click here on the default form that is created upon installation and called: Contact Me. Now you have a tab Form Fields. Click on the Name field. Then on the right side you will see an option to change the Label (below Single Line Text). Add there the following payload: <!'/*"/*/'/*/"/*--></Script><Image SrcSet=K */; OnError=confirm`123` //> Click now on the button Done. Click now on the button Publish. Log out of Wordpress and visit the page you created earlier. Now you will see the authenticated stored XSS popping up.
NIST CVSS SCORE: 4.8
Plugin has more than 1+ million active installations.