Skip to content
public
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
advisories/2019/SBA-ADV-20190911-01_Easy_FancyBox_WP_Plugin_Stored_XSS/
advisories/2019/SBA-ADV-20190911-01_Easy_FancyBox_WP_Plugin_Stored_XSS/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

Easy FancyBox Wordpress Plugin Stored Cross-site Scripting (XSS)

Vulnerability Overview

The Easy FancyBox WordPress Plugin Version 1.8.17 is susceptible to Stored Cross-site Scripting in the Settings > Media admin page /wp-admin/options-media.php due to improper encoding of arbitrarily submitted setting parameters. The vulnerability affects every publicly accessible page of the WordPress site.

  • Identifier : SBA-ADV-20190911-01
  • Type of Vulnerability : Cross-site Scripting
  • Software/Product Name : Easy FancyBox
  • Vendor : RavanH
  • Affected Versions : <= 1.8.17
  • Fixed in Version : 1.8.18
  • CVE ID : CVE-2019-16524
  • CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
  • CVSS Base Score : 3.5 (Low)

Vendor Description

Easy FancyBox plugin for WordPress websites gives you a flexible and aesthetic light box solution for just about all media links on your website. Easy FancyBox uses an updated version of the traditional FancyBox jQuery extension and is WP 3+ Multi-Site compatible. After activation you can find a new section FancyBox on your Settings > Media admin page where you can manage the media light box options.

Source: https://wordpress.org/plugins/easy-fancybox/

Impact

By exploiting the documented vulnerability, an attacker can execute JavaScript code in a victim's browser within the origin of the target site. This can be misused, for example, by taking over future administrative web management sessions.

Vulnerability Description

Several parameters of the file /inc/class-easyfancybox.php are affected by stored cross-site scripting vulnerabilities. The file is a part of the Settings > Media admin page of the WordPress instance.

These setting parameters are embedded in CSS blocks without encoding or sanitization, that are sent to the client's browser. The style sheet is sent along with every publicly accessible page, no matter if the plugin is needed on some pages or not.

For example, the following parameters are vulnerable:

  • /inc/class-easyfancybox.php
    • fancybox_titleColor
    • fancybox_paddingColor

There are many more vulnerable parameters, the above listed are given only as an example.

The vulnerabilities are located in /inc/class-easyfancybox.php:

[...]
		if ( !empty($paddingColor) )
			$content_style .= 'border-color:'.$paddingColor.';';
[...]
		if ( !empty($titleColor) )
			$styles .= '#fancybox-title,#fancybox-title-float-main{color:'.$titleColor.'}';
[...]

As the above code snippet shows, the parameters $paddingColor and $titleColor contains user input and is concatenated into $content_style or respectively $styles without performing any sanitization or escaping.

Proof of Concept

An attacker can exploit this vulnerability by, firstly having access to the Settings > Media page within the administrative portal and secondly setting as $titleColor the following string:

#44}</style><img src="" onerror="alert(1)">

This leads to the following HTML response (shortened for readability):

<style id='fancybox-inline-css' type='text/css'>
#fancybox-title,#fancybox-title-float-main{color:#44}</style><img src="" onerror="alert(1)">}
</style>

Recommended Countermeasures

We recommend strictly whitelisting the user input before it is being used. The only allowed characters should be alphanumeric characters and the hash sign.

Timeline

  • 2019-09-11 Identified the vulnerability in version 1.8.17
  • 2019-09-11 Contacted the vendor via support
  • 2019-09-16 Vendor closed the vulnerability in version 1.8.18
  • 2019-09-25 Publication of CVE-2019-16524

References

Credits