id: CVE-2023-37979

info:
  name: Ninja Forms <= 3.6.25 - Reflected XSS (Authenticated)
  author: Mehran Seifalinia
  severity: medium
  description: |
    The Ninja Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to, and including, 3.6.25. This vulnerability requires an authenticated user to exploit. Attackers can abuse the 'data' parameter with insufficient input sanitization and output escaping, allowing them to inject arbitrary web scripts that execute when an authenticated user, logged in to WordPress, performs certain actions, such as clicking on a link. Successful exploitation could lead to session hijacking, phishing attacks, or other malicious activities.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
    cvss-score: 5.0
    cve-id: CVE-2023-37979
  metadata:
    google-query: inurl:"/wp-content/plugins/ninja-forms/"
    shodan-query: 'vuln:CVE-2023-37979'
  tags: cve, wordpress, wp-plugin, ninja-forms, medium, xss

http:
  - method: GET
    redirects: true
    max-redirects: 3
    path:
      - "{{BaseURL}}/wp-content/plugins/ninja-forms/readme.txt"
      - "{{BaseURL}}/wp-admin/admin.php?page=ninja-forms"

    extractors:
      - type: regex
        name: version
        part: body
        group: 1
        internal: true
        regex:
          - "(?m)Stable tag:\\s*([\\d.]+)"
          - "Ninja Forms(?: Plugin)? Version:\\s*([\\d.]+)"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "Ninja Forms"
        part: body
        case-insensitive: true

      - type: dsl
        dsl:
          - "compare_versions(version, '<= 3.6.25')"