CVE-2015-9539: XSS in Fast Secure Contact Form Plugin

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A Cross-Site Scripting vulnerability was identified in WordPress plugin Fast Secure Contact Form before 4.0.37 in fs_contact_form1[welcome].

Vendor: Fast Secure
Affected Product: Fast Secure Contact Form
CVE: CVE-2015-9539
Securin ID: 2015-CSW-09-1007
Status: Fixed
Date: September 7, 2015
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

01Visit the following page on a site with this plugin installed.02http://yourwordpresssite.com/wordpress/wpadmin/plugins.php?page=sicontactform%2Fsi-contact-form.php&fscf_form=1&fscf_tab=1 and modify the value of fs_contact_form1[welcome] variable with <script>alert(document.cookie);</script> payload and send the request to the server. Now, the added XSS payload is echoed back from the server without validating the input whenever we visit the script stored page.03Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to the wp-config.php file.04define( ‘DISALLOW_UNFILTERED_HTML’, true );05Issue: POST request parameter fs_contact_form1[welcome] variable in the given URL http://yourwordpresssite.com/wordpress/wpadmin/plugins.php?page=sicontactform%2Fsi-contact-form.php&fscf_form=1&fscf_tab=1 of Fast Secure Contact Form 4.0.37 is vulnerable to Cross-Site Scripting (XSS).06Figure 01: http://yourwordpresssite.com/wordpress/wp-admin/plugins.php?page=si-contact-form%2Fsi-contact-form.php&fscf_form=1&fscf_tab=107Figure 02: XSS Payload is executed in the browser whenever the user views it.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can inject malicious code into the applications via a vulnerable variable.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the latest updated version of the Nextgen plugin and apply the patch as per vendor advisory.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-9539, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Sep 05, 2015

Discovered in Fast Secure Contact Form plugin 4.0.37 Version.

Sep 07, 2015

Reported to WP Plugin.

Sep 07, 2015

WP acknowledged the issue.

Sep 08, 2015

Fixed in 4.0.38 version of Fast Secure Contact Form plugin.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2015-9539

nvd.nist.gov/vuln/detail/CVE-2015-9539 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A Cross-Site Scripting vulnerability was identified in WordPress plugin Fast Secure Contact Form before 4.0.37 in fs_contact_form1[welcome].

Vendor: Fast Secure
Affected Product: Fast Secure Contact Form
CVE: CVE-2015-9539
Securin ID: 2015-CSW-09-1007
Status: Fixed
Date: September 7, 2015
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can inject malicious code into the applications via a vulnerable variable.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the latest updated version of the Nextgen plugin and apply the patch as per vendor advisory.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-9539, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Sep 05, 2015

Discovered in Fast Secure Contact Form plugin 4.0.37 Version.

Sep 07, 2015

Reported to WP Plugin.

Sep 07, 2015

WP acknowledged the issue.

Sep 08, 2015

Fixed in 4.0.38 version of Fast Secure Contact Form plugin.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2015-9539

nvd.nist.gov/vuln/detail/CVE-2015-9539 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Reflected XSS in Fast Secure Contact Form

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in Fast Secure Contact Form plugin 4.0.37 Version.

Reported to WP Plugin.

WP acknowledged the issue.

Fixed in 4.0.38 version of Fast Secure Contact Form plugin.

Cite, verify, go deeper.

NVD — CVE-2015-9539

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected XSS in Fast Secure Contact Form

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in Fast Secure Contact Form plugin 4.0.37 Version.

Reported to WP Plugin.

WP acknowledged the issue.

Fixed in 4.0.38 version of Fast Secure Contact Form plugin.

Cite, verify, go deeper.

NVD — CVE-2015-9539

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected XSS in Fast Secure Contact Form

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in Fast Secure Contact Form plugin 4.0.37 Version.

Reported to WP Plugin.

WP acknowledged the issue.

Fixed in 4.0.38 version of Fast Secure Contact Form plugin.

Cite, verify, go deeper.

NVD — CVE-2015-9539

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected XSS in Fast Secure Contact Form

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in Fast Secure Contact Form plugin 4.0.37 Version.

Reported to WP Plugin.

WP acknowledged the issue.

Fixed in 4.0.38 version of Fast Secure Contact Form plugin.

Cite, verify, go deeper.

NVD — CVE-2015-9539

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.