CVE-2024-4091 – Responsive Gallery Grid – Stored XSS to JS backdoor – POC

CVE-2024-4091 highlights a significant Stored Cross-Site Scripting (XSS) vulnerability within the Responsive Gallery Grid (RGG) plugin for WordPress, a tool installed on numerous WordPress sites to transform the native WordPress gallery into a responsive layout. The plugin, which integrates well with other third-party lightbox plugins, offers WordPress users an enhanced way to showcase their images while keeping responsive image proportions. However, a flaw in the settings configuration allows contributors or editors with access to plugin settings to inject malicious JavaScript (JS) code into the Margin parameter of the gallery settings. If exploited, this vulnerability can provide attackers with persistent control over the site via a JavaScript backdoor.

CVE	CVE-2024-4091
Plugin	Responsive Gallery Grid < 2.3.15
Critical	Low
All Time	194 125
Active installations	6 000+
Publicly Published	October 30, 2024
Last Updated	October 30, 2024
Researcher	Artyom Krugov
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4091 https://wpscan.com/vulnerability/e28e79fa-f461-41fe-ad1c-ca768ea5f982/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

April 11, 2024	Plugin testing and vulnerability detection in the Responsive Gallery Grid have been completed
April 11, 2024	I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
October 30, 2024	Registered CVE-2024-4091

Discovery of the Vulnerability

The vulnerability was identified during a security evaluation of the Responsive Gallery Grid plugin. Researchers found that within the Display Settings section, there is insufficient input validation for the Margin parameter. This lack of sanitization permits unauthorized JavaScript to be executed in the plugin’s settings area. The issue arises when a user intercepts the request for the margin setting and embeds malicious JavaScript code within the field labeled rgg_options[margin]. The stored payload then triggers when the gallery settings are displayed, providing an entry point for further exploitation and backdoor creation.

Understanding of XSS attack’s

Stored Cross-Site Scripting (XSS) is one of the more dangerous types of XSS attacks because the malicious script is stored within the website’s content or settings and is executed whenever an authorized user, like an admin, views the affected section. In WordPress, stored XSS is particularly impactful, as it can be inserted in various content areas, settings, or input fields left vulnerable due to insufficient input validation.

Examples of similar attacks include cases where WordPress plugins managing images, forms, or other user-generated content have allowed stored XSS through unsanitized fields. Attackers exploit these fields to plant persistent scripts that execute every time a targeted user visits the infected part of the site. The result is often session hijacking, unauthorized control of site settings, and, in more extreme cases, full backdoor access to the site.

Exploiting the XSS Vulnerability

To exploit CVE-2024-4091 in the Responsive Gallery Grid plugin, an attacker with contributor or editor privileges can follow these steps:

POC:

1. Navigate to the RGG panel in the WordPress admin dashboard.
2. Access the Display Settings section.
3. Intercept the HTTP request to alter the Margin parameter.
4. Inject the following payload into the rgg_options[margin] parameter:

PoC payload: 123" onmouseover='alert(1)'

____

This payload will prompt a JavaScript alert when the margin field is interacted with. More advanced payloads could be used to inject scripts for more persistent attacks, such as capturing cookies or session tokens. By abusing the lack of input validation, attackers can execute arbitrary JavaScript, leading to scenarios like admin account takeover or creation of a backdoor that enables ongoing access to the site.

Recommendations for Improved Security

For both developers and administrators, the following recommendations can mitigate similar vulnerabilities and strengthen WordPress plugin security:

1. Sanitize and Validate Inputs: Plugin developers should apply rigorous input validation, particularly for fields that affect core functionality and settings.
2. Enforce Role-Based Access Controls: Plugin settings that modify website behavior should only be accessible to administrators, reducing the likelihood that lower-level users can exploit such vulnerabilities.
3. Regular Code Reviews and Audits: Developers should conduct regular security reviews and consider employing third-party audits to uncover potential weaknesses in code.
4. Implement Content Security Policy (CSP): WordPress administrators can add CSP headers to their sites to limit the scope of scripts, making it more challenging for injected JavaScript to execute successfully.
5. Prompt Plugin Updates: WordPress site admins should keep plugins up-to-date to ensure they are patched against known vulnerabilities.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-4091, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #Vulnerability

Use CleanTalk solutions to improve the security of your website

Artyom k.