The NextGEN Gallery plugin, a widely used WordPress plugin for managing and displaying image galleries, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-6393. This flaw allows attackers with editor privileges to inject malicious JavaScript code into gallery settings. This malicious code can be executed when the gallery is viewed, resulting in potential account takeover and backdoor creation. With over 500,000 installations, this vulnerability poses a serious security risk to WordPress sites utilizing NextGEN Gallery.
| CVE | CVE-2024-6393 |
| Plugin | NextGEN Gallery < 3.59.5 |
| Critical | High |
| All Time | 621 813 |
| Active installations | 500 000+ |
| Publicly Published | October 25, 2024 |
| Last Updated | October 25, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6393 https://wpscan.com/vulnerability/126d1dd7-d332-47c8-ad25-5fbe211313b0/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| June 26, 2024 | Plugin testing and vulnerability detection in the Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery have been completed |
| June 26, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 25, 2024 | Registered CVE-2024-6393 |
Discovery of the Vulnerability
The vulnerability was discovered during a security review of the NextGEN Gallery plugin. It was found that the plugin improperly sanitizes the input provided in the “Alt & Title text” field within the gallery settings. This oversight allows users with editor privileges to inject JavaScript code into the image titles. Once the gallery settings are saved and the page is reloaded, the malicious script will be executed when other users interact with the gallery. This flaw is particularly concerning because editors are often granted the unfiltered_html capability, allowing them to embed JavaScript in various parts of the WordPress site, including post titles and comments.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common vulnerabilities in web applications, allowing attackers to inject malicious scripts into websites. In WordPress, XSS attacks are often carried out through user-generated content such as comments, posts, and image metadata. When these inputs are not properly sanitized, the injected scripts can be executed in the browsers of users viewing the content. A notable real-world example of XSS exploitation in WordPress was the vulnerability found in the WPForms plugin, where attackers could inject malicious code into form fields. Similarly, the vulnerability in NextGEN Gallery allows attackers to target users who view galleries, executing JavaScript in their browsers.
Exploiting the XSS Vulnerability
Exploiting CVE-2024-6393 is straightforward. An attacker with editor privileges can create a new gallery and import a few images. In the gallery settings, the attacker can modify the “Alt & Title text” field by inserting a payload like <img src=x onerror=alert(1)>.
POC:
You should create new "Gallery". Firstly, import a few images to your gallery. After that you should change "Alt & Title text" field in Gallery settings to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)> -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The potential risks of this vulnerability are significant. A successful exploitation of CVE-2024-6393 can lead to the creation of a backdoor admin account, allowing the attacker to gain full control of the site. The attacker could manipulate galleries, steal sensitive user data, or alter site content. In a real-world scenario, an attacker could use this vulnerability to hijack admin accounts or install malware, which could have far-reaching consequences, including data breaches or reputation damage. Furthermore, the vulnerability could serve as a stepping stone for further attacks, as a compromised WordPress site can be used to target other sites or systems connected to the network.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-6393, WordPress administrators should immediately update the NextGEN Gallery plugin to the latest version once a patch is released. It is also recommended to review user roles and restrict the unfiltered_html capability for non-admin users, particularly editors. By limiting the ability to inject JavaScript into content, site administrators can significantly reduce the risk of XSS attacks. Additionally, sanitizing all user inputs, especially image metadata, and implementing Content Security Policies (CSP) can help prevent malicious scripts from executing. Regular security audits and the use of WordPress security plugins can further safeguard sites from similar vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-6393, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
