CVE-2019-19306: Stored XSS in Zoho CRM Lead Magnet Plugin

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A vulnerability was discovered on WordPress plugin ZOHO CRM Lead Magnet 1.6.9.1. An input variable vulnerable to XSS are ‘Module,’ ‘EditShortcode,’ and ‘LayoutName’ in the Zoho CRM form creation page. A vulnerability allows an attacker to inject malicious code into the WordPress plugin ZOHO CRM Lead magnet by providing XSS payload as a value for vulnerable variables.

Vendor: Zoho
Affected Product: Lead Magnet
CVE: CVE-2019-19306
Securin ID: 2019-CSW-03-1026
Status: Fixed
Date: October 14, 2019
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

Issue 1: By exploiting Cross-site scripting vulnerability, an attacker can quickly access the user’s session by stealing cookies and exploiting the user browser.

PoC · Exploitation Steps▲ trigger

01Figure 01: Zoho CRM Lead Magnet.02Figure 02: Client key and secret id are filled in Authenticating Zoho CRM Plugin.032. Click on the Create New Form button and fill the values and click on the Next button.04Figure 03: New form in Zoho CRM Plugin.053. Add the payload <img src=x onerror=alert(document.cookie)> to the vulnerable parameters by intercepting the request in a proxy tool.06Figure 04: Request with XSS payload sent to the server.07Figure 05: Request and response captured in the proxy.083. Injected XSS payload is successfully executed when the user visits or reloads the page.09Figure 06: The JavaScript is successfully executed in the victim browser context.10Figure 07: The WordPress application runs on version 5.2.3.11Figure 08: The WordPress Zoho CRM Lead Magnet Plugin Version: 1.6.9.1.12Figure 09: The default cross-site scripting mitigation setting in wp.config file to prevent Cross-Site Scripting attacks.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can inject malicious codes into a request and the server returns the script to the client in the response using a crafted URL to reflect cross-site scripting (XSS) in a lead magnet of WordPress plugin CRM lead magnet pages.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the latest version and apply relevant patches advised as per vendor.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-19306, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Oct 13, 2019

Discovered in WordPress (Zoho CRM Lead Magnet Plugin) Product.

Oct 14, 2019

Reported to WordPress plugin team.

Oct 15, 2019

WordPress plugin team acknowledged the report.

Oct 15, 2019

The issue acknowledged and fixed immediately.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-19306

nvd.nist.gov/vuln/detail/CVE-2019-19306 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: Zoho
Affected Product: Lead Magnet
CVE: CVE-2019-19306
Securin ID: 2019-CSW-03-1026
Status: Fixed
Date: October 14, 2019
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

Issue 1: By exploiting Cross-site scripting vulnerability, an attacker can quickly access the user’s session by stealing cookies and exploiting the user browser.

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the latest version and apply relevant patches advised as per vendor.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-19306, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Oct 13, 2019

Discovered in WordPress (Zoho CRM Lead Magnet Plugin) Product.

Oct 14, 2019

Reported to WordPress plugin team.

Oct 15, 2019

WordPress plugin team acknowledged the report.

Oct 15, 2019

The issue acknowledged and fixed immediately.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-19306

nvd.nist.gov/vuln/detail/CVE-2019-19306 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Reflected Cross-Site Scripting in ZOHO CRM Lead Magnet

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WordPress (Zoho CRM Lead Magnet Plugin) Product.

Reported to WordPress plugin team.

WordPress plugin team acknowledged the report.

The issue acknowledged and fixed immediately.

Cite, verify, go deeper.

NVD — CVE-2019-19306

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in ZOHO CRM Lead Magnet

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WordPress (Zoho CRM Lead Magnet Plugin) Product.

Reported to WordPress plugin team.

WordPress plugin team acknowledged the report.

The issue acknowledged and fixed immediately.

Cite, verify, go deeper.

NVD — CVE-2019-19306

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in ZOHO CRM Lead Magnet

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WordPress (Zoho CRM Lead Magnet Plugin) Product.

Reported to WordPress plugin team.

WordPress plugin team acknowledged the report.

The issue acknowledged and fixed immediately.

Cite, verify, go deeper.

NVD — CVE-2019-19306

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Reflected Cross-Site Scripting in ZOHO CRM Lead Magnet

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WordPress (Zoho CRM Lead Magnet Plugin) Product.

Reported to WordPress plugin team.

WordPress plugin team acknowledged the report.

The issue acknowledged and fixed immediately.

Cite, verify, go deeper.

NVD — CVE-2019-19306

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.