In the ever-changing world of web security, WordPress plugins often find themselves at the forefront of both innovation and vulnerabilities. The latest discovery, CVE-2024-5442, reveals a critical flaw in the popular NextGen Gallery WordPress plugin gallery. This vulnerability makes a stored cross-site scripting (XSS) attack possible, allowing attackers to inject malicious JavaScript code and potentially create a backdoor to hijack accounts.
| CVE | CVE-2024-5442 |
| Plugin | NextGEN Gallery < 3.59.3 |
| Critical | Low |
| All Time | 40 625 705 |
| Active installations | 500 000+ |
| Publicly Published | June 22, 2024 |
| Last Updated | June 22, 2024 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5442/ https://wpscan.com/vulnerability/4f1fa417-f760-4132-95c2-a38d0b631263/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| May 14, 2024 | Plugin testing and vulnerability detection in the NextGEN Gallery have been completed |
| May 14, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| June 22, 2024 | Registered CVE-2024-5442 |
Discovery of the Vulnerability
During a routine security assessment of the NextGEN Gallery plugin, a stored cross-site scripting (XSS) vulnerability was identified. This vulnerability, cataloged as CVE-2024-5442, allows an attacker with administrator-level access to inject malicious scripts into the gallery settings. This flaw can be exploited to hijack user accounts and perform unauthorized actions on behalf of the affected users.
Understanding of Stored XSS attack’s
Cross-Site Scripting (XSS) is a prevalent security issue in web applications, including WordPress. XSS vulnerabilities arise when an application includes untrusted data in a web page without proper validation or escaping. This allows attackers to execute arbitrary scripts in the context of the victim’s browser. In WordPress, XSS vulnerabilities often emerge from plugins or themes that do not adequately sanitize user inputs.
In the case of NextGEN Gallery plugin, the XSS vulnerability is stored, meaning the malicious script is permanently stored on the target server, such as within a database, and is executed when a user visits the affected page. This type of XSS can have severe consequences, including session hijacking, defacement, and in this scenario, account takeover through backdoor creation.
Exploiting the Stored XSS Vulnerability
To exploit the stored XSS vulnerability in NextGEN Gallery, an attacker with administrator access needs to follow these steps:
POC:
- Navigate to Manage Albums: The attacker logs in to the WordPress dashboard and goes to the “Manage Albums” section of the NextGEN Gallery plugin.
- Add a New Album with Malicious Payload: The attacker creates a new album and includes the following malicious payload in one of the album fields: `”><script></script><img src=x onerror=alert(document.domain)>`
- Save the Malicious Album: The attacker saves the album, ensuring that the payload is stored in the album data
- Insert the Album into a Page or Post: The attacker then goes to the Posts or Pages section, selects a post or page, and uses the Gutenberg block editor to insert the NextGEN Gallery. They choose the album with the injected payload in the “INSERT INTO PAGE” field.
____
The potential risks associated with this vulnerability are extensive. Attackers could leverage this flaw to:
- Create Backdoors: Persistently access compromised accounts even after detection.
- Hijack Sessions: Steal session cookies and hijack active user sessions.
- Deface Websites: Alter the appearance of the site or display unwanted content.
- Steal Sensitive Data: Access confidential user data or administrative functions.
Real-world scenarios might include an attacker gaining administrative privileges, altering critical site settings, or spreading the exploit to other users who interact with the compromised site.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-5442, the following steps are recommended:
- Update the Plugin: Ensure that the Easy Table of Contents plugin is updated to the latest version, where the vulnerability is patched.
- Sanitize Inputs: Implement robust input validation and sanitization to prevent malicious code from being accepted.
- Restrict Unfiltered HTML: Limit the use of the
unfiltered_htmlcapability to trusted users only, minimizing the risk of XSS exploits. - Regular Security Audits: Conduct periodic security audits of plugins and themes to identify and address vulnerabilities proactively.
- Educate Users: Train users on the importance of security best practices, particularly those with elevated privileges.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-5442, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #Vulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
