Easy FancyBox Wordpress Plugin Stored Cross-site Scripting (XSS)
Vulnerability Overview
The Easy FancyBox WordPress Plugin Version 1.8.17 is susceptible to Stored
Cross-site Scripting in the Settings > Media admin page /wp-admin/options-media.php
due to improper encoding of arbitrarily submitted setting parameters. The vulnerability
affects every publicly accessible page of the WordPress site.
- Identifier : SBA-ADV-20190911-01
- Type of Vulnerability : Cross-site Scripting
- Software/Product Name : Easy FancyBox
- Vendor : RavanH
- Affected Versions : <= 1.8.17
- Fixed in Version : 1.8.18
- CVE ID : CVE-2019-16524
- CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
- CVSS Base Score : 3.5 (Low)
Vendor Description
Easy FancyBox plugin for WordPress websites gives you a flexible and aesthetic light box solution for just about all media links on your website. Easy FancyBox uses an updated version of the traditional FancyBox jQuery extension and is WP 3+ Multi-Site compatible. After activation you can find a new section FancyBox on your Settings > Media admin page where you can manage the media light box options.
Source: https://wordpress.org/plugins/easy-fancybox/
Impact
By exploiting the documented vulnerability, an attacker can execute JavaScript code in a victim's browser within the origin of the target site. This can be misused, for example, by taking over future administrative web management sessions.
Vulnerability Description
Several parameters of the file /inc/class-easyfancybox.php are affected by
stored cross-site scripting vulnerabilities. The file is a part of the
Settings > Media admin page of the WordPress instance.
These setting parameters are embedded in CSS blocks without encoding or sanitization, that are sent to the client's browser. The style sheet is sent along with every publicly accessible page, no matter if the plugin is needed on some pages or not.
For example, the following parameters are vulnerable:
/inc/class-easyfancybox.php- fancybox_titleColor
- fancybox_paddingColor
There are many more vulnerable parameters, the above listed are given only as an example.
The vulnerabilities are located in /inc/class-easyfancybox.php:
[...]
if ( !empty($paddingColor) )
$content_style .= 'border-color:'.$paddingColor.';';
[...]
if ( !empty($titleColor) )
$styles .= '#fancybox-title,#fancybox-title-float-main{color:'.$titleColor.'}';
[...]As the above code snippet shows, the parameters $paddingColor and
$titleColor contains user input and is concatenated into $content_style
or respectively $styles without performing any sanitization or escaping.
Proof of Concept
An attacker can exploit this vulnerability by, firstly having access to the
Settings > Media page within the administrative portal and secondly setting
as $titleColor the following string:
#44}</style><img src="" onerror="alert(1)">
This leads to the following HTML response (shortened for readability):
<style id='fancybox-inline-css' type='text/css'>
#fancybox-title,#fancybox-title-float-main{color:#44}</style><img src="" onerror="alert(1)">}
</style>Recommended Countermeasures
We recommend strictly whitelisting the user input before it is being used. The only allowed characters should be alphanumeric characters and the hash sign.
Timeline
2019-09-11Identified the vulnerability in version 1.8.172019-09-11Contacted the vendor via support2019-09-16Vendor closed the vulnerability in version 1.8.182019-09-25Publication of CVE-2019-16524
References
Credits
- Jakob Hagl (SBA Research)