CVE-2024-3899 is a severe vulnerability found in the Envira Gallery plugin, a popular WordPress plugin used by over 100,000 websites to create image galleries. This vulnerability allows contributors (or users with higher privileges) to execute stored Cross-Site Scripting (XSS) attacks by embedding malicious JavaScript code in the “Title” field of image settings. When exploited, this flaw can lead to the creation of unauthorized admin accounts, giving attackers complete control over the website.

CVECVE-2024-3899
PluginEnvira Gallery < 1.8.15
CriticalHigh
All Time3 972 678
Active installations100 000+
Publicly PublishedAugust 19, 2024
Last UpdatedAugust 19, 2024
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3899
https://wpscan.com/vulnerability/e3afadda-4d9a-4a51-b744-10de7d8d8578/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

April 11, 2024Plugin testing and vulnerability detection in the Gallery Plugin for WordPress – Envira Photo Gallery have been completed
April 11, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 19, 2024Registered CVE-2024-3899

Discovery of the Vulnerability

During a security audit of the Envira Gallery plugin, a vulnerability was discovered in how the plugin processes user input in the “Title” field for images within galleries. The vulnerability arises from the plugin’s failure to properly sanitize input, allowing malicious JavaScript to be executed whenever an administrator or editor interacts with the image settings.

In the proof-of-concept (PoC), an attacker creates a new gallery and adds an image. By injecting a malicious payload such as <img src=x onerror=alert(1)> into the image “Title” field, the attacker is able to insert harmful JavaScript. When the gallery is viewed or edited by an administrator, the script is executed, potentially leading to the creation of a new admin account or other unauthorized actions.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) vulnerabilities allow attackers to inject and execute malicious scripts in the browser of another user who visits the affected website. In WordPress, XSS is particularly dangerous because it can be used to manipulate site content, steal sensitive data, or even escalate privileges. Stored XSS, as demonstrated in CVE-2024-3899, occurs when malicious scripts are permanently stored in the website and executed whenever someone accesses the infected content.

Real-world examples of XSS attacks in WordPress often involve inserting scripts into forms, post metadata, or widget fields. In the case of Envira Gallery, the attack vector is the image “Title” field, where the malicious JavaScript is stored and triggered when a privileged user interacts with the image in the gallery. This kind of attack can lead to severe consequences, such as account hijacking or site defacement.

Exploiting the XSS Vulnerability

Exploiting CVE-2024-3899 requires a user with contributor or higher-level access to create a new gallery and upload an image. The attacker then adds a JavaScript payload like <img src=x onerror=alert(1)> into the image “Title” field. When the administrator or editor views the gallery or interacts with the image settings, the injected script is executed.

POC:

Create a new Galley and add here image. Go to image settings and add to field "Title" - &lt;img src=x onerror=alert(1)&gt;

____

The risks associated with CVE-2024-3899 are significant, given the plugin’s wide usage and the potential for contributors to escalate their privileges through this vulnerability. If an attacker can create an admin account, they gain full control over the website, allowing them to modify site content, steal sensitive information, or even inject malware into the site’s core files.

In real-world scenarios, attackers could exploit this vulnerability to inject code that spreads malware, redirects users to phishing sites, or steals customer data from compromised e-commerce sites. With the ability to create admin accounts, attackers could also maintain persistent control over the site, making it difficult to detect and remove the exploit.

Recommendations for Improved Security

To mitigate the risk posed by CVE-2024-3899, it is crucial that WordPress site administrators update the Envira Gallery plugin to the latest version as soon as a patch is released. Plugin developers must ensure that user inputs, particularly in fields like the image “Title,” are properly sanitized to prevent XSS attacks.

Administrators should also review the permissions assigned to users with contributor-level access and restrict their ability to use unfiltered HTML or JavaScript. Implementing a security plugin that detects and blocks XSS attempts can provide an additional layer of protection. Regular security audits of plugins and themes are recommended to catch vulnerabilities before they can be exploited.

Finally, using a web application firewall (WAF) can help block malicious requests and protect against XSS attacks, ensuring that user inputs are validated before reaching the WordPress environment.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-3899, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

ARTYOM K.
CVE-2024-3899 – Envira Gallery – Stored XSS to Admin Account Creation (Contributor+) – POC

Leave a Reply

Your email address will not be published. Required fields are marked *