WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Photo Gallery < 1.5.79 - Stored XSS via Uploaded SVG in Zip

Description

The plugin did not ensure that uploaded SVG files inside a Zipped archive added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue

Proof of Concept

When editing or creating a gallery, Click 'Add Images' then 'Upload Files' and upload a Zip archive containing an SVG file with JavaScript code, then access the uploaded image from the uploads folder directly, e.g https://example.com/wp-content/uploads/photo-gallery/<archive_name>/xss.svg

v < 1.5.75 - SVG at the root/anywhere in the archive
v < 1.5.79 - Put the SVG inside a folder

Example of malicious SVG:
<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">alert(document.domain);</script>
</svg>

Affects Plugins

photo-gallery
Fixed in version 1.5.79

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID
a20a2ece-6c82-41c6-a21e-95e720f45584

Timeline

Publicly Published

2021-07-19 (about 11 months ago)

Added

2021-07-19 (about 11 months ago)

Last Updated

2021-07-19 (about 11 months ago)

Our Other Services

WPScan WordPress Security Plugin