A critical vulnerability, CVE-2024-2744, has been discovered in NextGen Gallery, a popular WordPress plugin with over 500 000+ installations. This flaw exposes websites to the risk of Stored XSS attacks, potentially leading to account takeover and compromising website integrity. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).

Main info:

CVECVE-2024-2744
PluginNextgen Gallery < 3.59.1
CriticalHigh
All Time40 354 267
Active installations500 000+
Publicly PublishedApril 26, 2024
Last UpdatedApril 26, 2024
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2744
https://wpscan.com/vulnerability/a5579c15-50ba-4618-95e4-04b2033d721f/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

March 11, 2024Plugin testing and vulnerability detection in the NextGEN Gallery plugin have been completed
March 11, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
April 26, 2024Registered CVE-2024-2744

Discovery of the Vulnerability

During routine testing of the NextGen Gallery plugin, security researchers uncovered a vulnerability that allows attackers to execute malicious JavaScript code on behalf of an editor, paving the way for account takeover and unauthorized access.

Understanding of Stored XSS attack’s

Stored XSS, a type of cross-site scripting attack, occurs when malicious scripts are injected into a web application and executed in the context of another user’s session. In WordPress, plugins like NextGen Gallery are susceptible to such attacks if they fail to properly sanitize user inputs.

Exploiting the Stored XSS Vulnerability

By leveraging the vulnerability in NextGen Gallery, attackers can embed malicious script payloads into various fields or components of the plugin, such as widget settings or image descriptions. When unsuspecting users interact with these elements, the malicious code gets executed, leading to potential account compromise.

POC:

You should create new widget ‘NextGEN Widget‘. Change “Text for Media RSS link” field to (feed” asdasd=” onmouseover=’alert(1)’) -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

____

The CVE-2024-2744 vulnerability poses a significant risk to WordPress websites using the NextGen Gallery plugin. Attackers could exploit this flaw to perform various malicious actions, including but not limited to, creating JavaScript backdoors, redirecting users to phishing sites, or stealing sensitive user information.

Recommendations for Improved Security

Website administrators and WordPress users are advised to update the NextGen Gallery plugin to the latest patched version immediately. Additionally, developers should implement robust input validation and output sanitization mechanisms to prevent XSS vulnerabilities in their plugins. Regular security audits and penetration testing can also help identify and mitigate potential risks proactively.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-2744, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website

DMITRII I.
CVE-2024-2744 – NextGEN Gallery – Stored XSS to JS backdoor creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *