Cross Site Scripting (XSS) vulnerability in WordPress plugin Gravity Forms. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies. This means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.
Fill all the variables with ’)”></script><script>alert(document.cookie);</script> payload and save it to view further.
Now, the added XSS payload will be executed whenever the user reviews it.
Users: You MUST be an Administrator and logged into the site as an Administrator in order to enter/test XSS html testing code in the reported variables. Please do NOT actually try this test. It has been updated for security awareness
Timeline
2015-02-17 – Discovered in NextGen Gallery 2.1.7 version.
2015-02-17 – Reported to plugins@wordpress.org
2015-02-18 – Vendor responded saying, "Thank you, we'll inform NGG about this."
2015-09-04 – Same vulnerability again discovered in NextGen Gallery 2.1.10 version.
2015-09-04 – Reported to plugins@wordpress.org
2015-09-09 – Same vulnerability found & still exist in NextGen Gallery 2.1.15 version.
2015-09-14 – Reported on Multiple XSS on version 2.1.15 directly to photocrati Vendor. Also reminded the developer on following dates: 27-10-2015, 02-11-2015 & 12-11-2015 and no response as of date 25-11-2015.
cybersecurityworks
changed the title
XSS in NextGEN Gallery by Photocrati Version 2.1.15
Multiple Cross site Scripting (XSS) in NextGEN Gallery by Photocrati Version 2.1.15
Nov 25, 2015
Details
Word Press Product Bugs Report
Bug Name: Multiple Cross Site Scripting (XSS)
Software: NextGen Gallery
Version: 2.1.15
Last Updated: 09-09-2015
Homepage: https://wordpress.org/plugins/nextgen-gallery/download/
Compatible Up to Wordpress 4.3.0 Version (Requires: 3.6.1 or higher)
Severity High
Status: Not Fixed
Exploitation Requires Authentication?: yes
Vulnerable URL: http://localhost/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1/
Vulnerable Variable: images[1][alttext] & path
POC URL: https://www.youtube.com/watch?v=FYpOdlehFfo
Description
Cross Site Scripting (XSS) vulnerability in WordPress plugin Gravity Forms. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session by stealing cookies. This means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.
Proof of concept: (POC)
Visit the following page on a site with this plugin installed. http://yourwordpresssite.com/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1 and modify the value of images[1][alttext] and path variable in NextGEN Gallery Photocrati Version 2.1.10 with
’)”></script><script>alert(document.cookie);</script>payload and save it to view further.Now, the added XSS payload will be executed whenever the user reviews it.
Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to wp-config.php file.
define( 'DISALLOW_UNFILTERED_HTML', true );
Issue 1:
POST request parameter images[1][alttext] variable in the given URL http://localhost/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1 of NextGEN Gallery Plugin version 2.1.10 is vulnerable to Cross Site Scripting (XSS)
Figure 1: XSS Payload injected to images[1][alttext]variable in the given URL http://localhost/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1
Figure 2: XSS Payload gets executed in the browser whenever the user views it.
Figure 3: XSS Payload injected to pathvariable in the given URL http://localhost/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=3&paged=1
Figure 4: XSS Payload gets executed in the browser whenever the user views it.
Reproducing Steps
’)”></script><script>alert(document.cookie);</script>payload and save it to view further.Users: You MUST be an Administrator and logged into the site as an Administrator in order to enter/test XSS html testing code in the reported variables. Please do NOT actually try this test. It has been updated for security awareness
Timeline
2015-02-17 – Discovered in NextGen Gallery 2.1.7 version.
2015-02-17 – Reported to plugins@wordpress.org
2015-02-18 – Vendor responded saying, "Thank you, we'll inform NGG about this."
2015-09-04 – Same vulnerability again discovered in NextGen Gallery 2.1.10 version.
2015-09-04 – Reported to plugins@wordpress.org
2015-09-09 – Same vulnerability found & still exist in NextGen Gallery 2.1.15 version.
2015-09-14 – Reported on Multiple XSS on version 2.1.15 directly to photocrati Vendor. Also reminded the developer on following dates: 27-10-2015, 02-11-2015 & 12-11-2015 and no response as of date 25-11-2015.
Discovered by:
Sathish from Cyber Security Works Pvt Ltd
The text was updated successfully, but these errors were encountered: