AppCheck has identified multiple Cross-Site Scripting (XSS) vulnerabilities within the popular “Photo Gallery” WordPress plugin by 10Web.
The plugin is used to create mobile-friendly media galleries for WordPress websites. The vendor 10Web describes it as:
“Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.”
According to wordpress.org. there are 200,000 active installations of the plugin.
https://wordpress.org/plugins/photo-gallery/
Upgrade the plugin to version 1.8.22 or later.
Cross Site Scripting (XSS) vulnerabilities occur when data submitted to the application is not properly sanitized before being embedded within the application’s response or stored for later retrieval.
Reflected XSS vulnerabilities are typically exploited by embedding malicious script code within links to the application. The attacker would then attempt to trick the user into following the maliciously crafted link via a social engineering attack such as a Phishing email.
Upon clicking the malicious link, the embedded script code is inserted into the server’s response and executed within user’s web browser.
Stored Cross-Site Scripting (sometimes referred to second order or persistent XSS), operates in a similar way except the script code is stored by the application and could allow users of the application to be targeted even without following a specific link from the attacker.
The payload of an XSS attack can achieve anything that a legitimate script within the page can. For example, the injected script can read client-side data such as authentication tokens, carry out actions on behalf of the user (such as edit page content if the user has permission to do so), or serve up malware or misleading information to the user.
The current_url parameter of the AJAX call to the GalleryBox action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the current_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. No authentication is required to exploit this issue.
Note that other parameters within a AJAX call, such as image_id, must be valid for this vulnerability to be successfully exploited.
Example:
If successful, an alert box displaying the text “xss” will be displayed.
The screenshot below shows the code being injected:
A similar issue affects the “editimage_bwg” AJAX action, in this case the target user needs to be logged in with permission to access this feature. From the attackers perspective this is still an attractive proposition, however its something to be aware of when recreating this issue.
The “image_id” (CVE-2024-29808), “image_url” (CVE-2024-29809) and “thumb_url” (CVE-2024-29810) parameters are all affected.
Example: image_id parameter
Example: image_url
Example: thumb_url
The image uploader feature has some code designed to strip <script> tags from SVG images for security purposes. The code can be found in photo-gallery\filemanager\UploadHandler.php
The following lines are responsible for removing scripts:
// Remove scripts from SVG files for security reasons.
$file_content = file_get_contents($file_path);
file_put_contents($file_path, preg_replace(‘#<script(.*?)>(.*?)</script>#is’, ”, $file_content));
This regular expression can be easily bypassed to inject a script that does not match the expression but still executes as normal. There are many ways to do this, for example, adding a single space at the end of the closing script tag such as </script> becomes </script >.
Here is an example:
<?xml version=”1.0″ standalone=”no”?>
<!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd”>
<svg version=”1.1″ baseProfile=”full” xmlns=”http://www.w3.org/2000/svg”>
<polygon id=”triangle” points=”0,0 0,50 50,0″ fill=”#009900″ stroke=”#004400″/>
<script type=”text/javascript”>
alert(‘XSS!’);
</script >
</svg>
Note that we get a resizing error message, but the file is still uploaded and accessible.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
As always, if you require any more information on this topic or want to see what unexpected vulnerabilities AppCheck can pick up in your website and applications then please contact us: info@localhost
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)