CVE-2021-33849: Stored XSS in Zoho CRM Lead Magnet

Stored Cross-Site Scripting in WordPress Plugin (ZOHO CRM Lead Magnet Version 1.7.2.4)

A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user's browser while the browser is connected to a trusted website. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4.

CVE IDCVE-2021-33849

CVSS v3.15.4 Medium

VendorZoho

CWECWE-79

DisclosedSep 1, 2021

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A Cross-Site Scripting (XSS) attack can cause arbitrary code (JavaScript) to run in a user’s browser while the browser is connected to a trusted website. The attack targets your application’s users and not the application itself while using your application as the attack’s vehicle. The XSS payload executes whenever the user changes the form values or deletes a created form in Zoho CRM Lead Magnet Version 1.7.2.4.

Vendor: Zoho
Affected Product: Zoho Lead Magnet Plugin
CVE: CVE-2021-33849
Securin ID: 2021-CSW-08-1050
Status: Fixed
Date: September 1, 2021
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

01The following vulnerability was detected in Zoho CRM Lead Magnet Version 1.7.2.402Issue: Stored Cross-Site Scripting.03Steps to Reproduce:041. Log in to the WordPress application.05Note: A virtual host (wptest.com) was used to test the application locally.062. Install the Zoho CRM Lead Magnet Plugin.07Figure 01: Zoho CRM Lead Magnet Version 1.7.2.4083. Configure the Client ID and Secret Key.094. Click the ‘Create New Form’ button, fill the values, and then click the ‘Next’ button.10Figure 02: New form in Zoho CRM Plugin115. Encode the payload <img src=x onerror=alert(document.cookie)> with a hexadecimal HTML encoder.12Figure 03: Encoding the Payload136. Enter the encoded payload in the ‘Form Name’ field (formvalue parameter) to update the form. Then, click the arrow button near the ‘Create a New Form’ heading to go back to the previous page.14Figure 04: Entering Encoded Xss Payload In The ‘form Name’ Field157. Click on the pencil icon to edit the created form.16Figure 05: Click on the Pencil Icon to Edit the Form178. Change any form value, such as ‘Company’ or the ‘Last Name’.18Figure 06: Modifying Form Fields19Figure 07: Injected XSS Payload Executed Displaying An Alert Box With Contents of the User’s Cookies209. The XSS payload is also executed when the user tries to delete the form.21Figure 08: XSS Payload Executed When the User Tries To Delete the Form

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

With Cross-Site Scripting, an attacker can control a script executed in the victim’s browser and then fully compromise that user. An XSS vulnerability enables attacks that are self-contained within the application. This means that an attacker does not need to find an external means of inducing the victim to make a request containing their exploit. Rather, the attacker can insert the exploit into the application and simply wait for users to encounter it.

A Cross-Site Scripting attack results in the following:

● Cookie theft

● Disclosure of end-user files

● Installation of Trojan horse programs

● Redirection of user to some other page or site

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using the encoding library.

N/A

Implement input validation for special characters on all variables reflected to the browser and stored in the database.

N/A

Implement client-side validation.

N/A

To fix this vulnerability, follow these steps:

Figure 09: Default Cross-Site Scripting Mitigation Setting in the wp.config File Prevents Cross-site Scripting Attacks

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2021-33849, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Aug 26, 2021

Discovered in Zoho CRM Lead Magnet Version 1.7.2.4.

Sep 1, 2021

Reported to WordPress Team

Sep 2, 2021

Vendor Acknowledged

Sep 2, 2021

Vendor blocked the plugin

Sep 6, 2021

Zoho fixed the issue

Sep 7, 2021

Vendor reopened the plugin for download.

Sep 7, 2021

CVE Assigned.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2021-33849

nvd.nist.gov/vuln/detail/CVE-2021-33849 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross-Site Scripting in WordPress Plugin (ZOHO CRM Lead Magnet Version 1.7.2.4)

CVE IDCVE-2021-33849

CVSS v3.15.4 Medium

VendorZoho

CWECWE-79

DisclosedSep 1, 2021

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: Zoho
Affected Product: Zoho Lead Magnet Plugin
CVE: CVE-2021-33849
Securin ID: 2021-CSW-08-1050
Status: Fixed
Date: September 1, 2021
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

A Cross-Site Scripting attack results in the following:

● Cookie theft

● Disclosure of end-user files

● Installation of Trojan horse programs

● Redirection of user to some other page or site

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using the encoding library.

N/A

Implement input validation for special characters on all variables reflected to the browser and stored in the database.

N/A

Implement client-side validation.

N/A

To fix this vulnerability, follow these steps:

Figure 09: Default Cross-Site Scripting Mitigation Setting in the wp.config File Prevents Cross-site Scripting Attacks

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2021-33849, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Aug 26, 2021

Discovered in Zoho CRM Lead Magnet Version 1.7.2.4.

Sep 1, 2021

Reported to WordPress Team

Sep 2, 2021

Vendor Acknowledged

Sep 2, 2021

Vendor blocked the plugin

Sep 6, 2021

Zoho fixed the issue

Sep 7, 2021

Vendor reopened the plugin for download.

Sep 7, 2021

CVE Assigned.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2021-33849

nvd.nist.gov/vuln/detail/CVE-2021-33849 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross-Site Scripting in WordPress Plugin (ZOHO CRM Lead Magnet Version 1.7.2.4)

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using the encoding library.

Implement input validation for special characters on all variables reflected to the browser and stored in the database.

Implement client-side validation.

Vendors moved in days.
Attackers in hours.

Discovered in Zoho CRM Lead Magnet Version 1.7.2.4.

Reported to WordPress Team

Vendor Acknowledged

Vendor blocked the plugin

Zoho fixed the issue

Vendor reopened the plugin for download.

CVE Assigned.

Cite, verify, go deeper.

NVD — CVE-2021-33849

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WordPress Plugin (ZOHO CRM Lead Magnet Version 1.7.2.4)

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using the encoding library.

Implement input validation for special characters on all variables reflected to the browser and stored in the database.

Implement client-side validation.

Vendors moved in days.
Attackers in hours.

Discovered in Zoho CRM Lead Magnet Version 1.7.2.4.

Reported to WordPress Team

Vendor Acknowledged

Vendor blocked the plugin

Zoho fixed the issue

Vendor reopened the plugin for download.

CVE Assigned.

Cite, verify, go deeper.

NVD — CVE-2021-33849

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WordPress Plugin (ZOHO CRM Lead Magnet Version 1.7.2.4)

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using the encoding library.

Implement input validation for special characters on all variables reflected to the browser and stored in the database.

Implement client-side validation.

Vendors moved in days.Attackers in hours.

Discovered in Zoho CRM Lead Magnet Version 1.7.2.4.

Reported to WordPress Team

Vendor Acknowledged

Vendor blocked the plugin

Zoho fixed the issue

Vendor reopened the plugin for download.

CVE Assigned.

Cite, verify, go deeper.

NVD — CVE-2021-33849

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in WordPress Plugin (ZOHO CRM Lead Magnet Version 1.7.2.4)

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using the encoding library.

Implement input validation for special characters on all variables reflected to the browser and stored in the database.

Implement client-side validation.

Vendors moved in days.Attackers in hours.

Discovered in Zoho CRM Lead Magnet Version 1.7.2.4.

Reported to WordPress Team

Vendor Acknowledged

Vendor blocked the plugin

Zoho fixed the issue

Vendor reopened the plugin for download.

CVE Assigned.

Cite, verify, go deeper.

NVD — CVE-2021-33849

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.