Word Press Product Bugs Report
Bug Name XSS (Cross Site Scripting)
Software: NextGen Gallery
Version: 2.1.7
Last Updated: 12-08-2015
Homepage: https://wordpress.org/plugins/nextgen-gallery/download/
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6.1 or higher)
Severity High
Description: Multiple XSS vulnerability in WordPress plugin NextGen Gallery
Figure 2: HTTP Request & response for the vulnerable variable thumbnail_settings[thumbwidth]
Figure 3: XSS response executed in browser
Reproducing Steps
Logon into any wordpress application (localhost or public host)
Modifying the above mentioned variables in NextGEN Gallery Photocrati Version 2.1.7 (recently updated version)
Fill all the variables with “><img src=x onerror=prompt(1)> payload and save it to view further.
Now, the added XSS payload will be executed whenever we review it.
Timeline
31-08-2015 – Discovered in NextGen Gallery 2.1.7 version
31-08-2015 – Reported to WP Plugin
01-09-2015 – Fixed in 2.1.10 version of NextGen Gallery
Details
Word Press Product Bugs Report
Bug Name XSS (Cross Site Scripting)
Software: NextGen Gallery
Version: 2.1.7
Last Updated: 12-08-2015
Homepage: https://wordpress.org/plugins/nextgen-gallery/download/
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6.1 or higher)
Severity High
Description: Multiple XSS vulnerability in WordPress plugin NextGen Gallery
Proof of concept: (POC)
Visit the following page on a site with this plugin installed. http://wordpresssite.com/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1 and modify the value of path variable in NextGEN Gallery Photocrati Version 2.1.10 with ’></script><script>alert(document.cookie);</script> payload and save it to view further.
Now, the added XSS payload will be executed whenever the user reviews it.
Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.
define( 'DISALLOW_UNFILTERED_HTML', true );
Issue 1:
Vulnerable URL: http://wordpresssite.com/wordpress/wp-admin/admin.php?page=ngg_display_settings
Request: POST
Vulnerable Variable list:
• photocrati-nextgen_basic_thumbnails[thumbnail_width]
• photocrati-nextgen_basic_thumbnails[thumbnail_height]
• photocrati-nextgen_basic_thumbnails[template]
• photocrati-nextgen_basic_imagebrowser[template]
• photocrati-nextgen_basic_singlepic[template]
• photocrati-nextgen_basic_compact_album[template]
• photocrati-nextgen_basic_compact_album[thumbnail_width]
• photocrati-nextgen_basic_compact_album[thumbnail_height]
• photocrati-nextgen_basic_extended_album[template]
• photocrati-nextgen_basic_extended_album[thumbnail_width]
• photocrati-nextgen_basic_extended_album[thumbnail_height]
Figure 1: HTTP Request & response for the vulnerable variable photocrati-nextgen_basic_thumbnails[thumbnail_width]
Issue 2:
Vulnerable URL: http://wordpresssite.com/wordpress/wp-admin/admin.php?page=ngg_other_options
Request: POST
Vulnerable Variable list:
• thumbnail_settings[thumbwidth]
• thumbnail_settings[thumbheight]
• watermark_options[wmXpos]
• watermark_options[wmYpos]
Figure 2: HTTP Request & response for the vulnerable variable thumbnail_settings[thumbwidth]
Figure 3: XSS response executed in browser
Reproducing Steps
“><img src=x onerror=prompt(1)>payload and save it to view further.Timeline
31-08-2015 – Discovered in NextGen Gallery 2.1.7 version
31-08-2015 – Reported to WP Plugin
01-09-2015 – Fixed in 2.1.10 version of NextGen Gallery
Discovered by:
Sathish from Cyber Security Works Pvt Ltd
The text was updated successfully, but these errors were encountered: