In the ever-changing world of web security, WordPress plugins often find themselves at the forefront of both innovation and vulnerabilities. The latest discovery, CVE-2024-5442, reveals a critical flaw in the popular NextGen Gallery WordPress plugin gallery. This vulnerability makes a stored cross-site scripting (XSS) attack possible, allowing attackers to inject malicious JavaScript code and potentially create a backdoor to hijack accounts.

CVECVE-2024-5442
PluginNextGEN Gallery < 3.59.3
CriticalLow
All Time40 625 705
Active installations500 000+
Publicly PublishedJune 22, 2024
Last UpdatedJune 22, 2024
ResearcherArtyom Krugov
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5442/
https://wpscan.com/vulnerability/4f1fa417-f760-4132-95c2-a38d0b631263/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

May 14, 2024Plugin testing and vulnerability detection in the NextGEN Gallery have been completed
May 14, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
June 22, 2024Registered CVE-2024-5442

Discovery of the Vulnerability

During a routine security assessment of the NextGEN Gallery plugin, a stored cross-site scripting (XSS) vulnerability was identified. This vulnerability, cataloged as CVE-2024-5442, allows an attacker with administrator-level access to inject malicious scripts into the gallery settings. This flaw can be exploited to hijack user accounts and perform unauthorized actions on behalf of the affected users.

Understanding of Stored XSS attack’s

Cross-Site Scripting (XSS) is a prevalent security issue in web applications, including WordPress. XSS vulnerabilities arise when an application includes untrusted data in a web page without proper validation or escaping. This allows attackers to execute arbitrary scripts in the context of the victim’s browser. In WordPress, XSS vulnerabilities often emerge from plugins or themes that do not adequately sanitize user inputs.

In the case of NextGEN Gallery plugin, the XSS vulnerability is stored, meaning the malicious script is permanently stored on the target server, such as within a database, and is executed when a user visits the affected page. This type of XSS can have severe consequences, including session hijacking, defacement, and in this scenario, account takeover through backdoor creation.

Exploiting the Stored XSS Vulnerability

To exploit the stored XSS vulnerability in NextGEN Gallery, an attacker with administrator access needs to follow these steps:

POC:

  1. Navigate to Manage Albums: The attacker logs in to the WordPress dashboard and goes to the “Manage Albums” section of the NextGEN Gallery plugin.
  2. Add a New Album with Malicious Payload: The attacker creates a new album and includes the following malicious payload in one of the album fields: `”><script></script><img src=x onerror=alert(document.domain)>`
  3. Save the Malicious Album: The attacker saves the album, ensuring that the payload is stored in the album data
  4. Insert the Album into a Page or Post: The attacker then goes to the Posts or Pages section, selects a post or page, and uses the Gutenberg block editor to insert the NextGEN Gallery. They choose the album with the injected payload in the “INSERT INTO PAGE” field.

____

The potential risks associated with this vulnerability are extensive. Attackers could leverage this flaw to:

  • Create Backdoors: Persistently access compromised accounts even after detection.
  • Hijack Sessions: Steal session cookies and hijack active user sessions.
  • Deface Websites: Alter the appearance of the site or display unwanted content.
  • Steal Sensitive Data: Access confidential user data or administrative functions.

Real-world scenarios might include an attacker gaining administrative privileges, altering critical site settings, or spreading the exploit to other users who interact with the compromised site.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2024-5442, the following steps are recommended:

  1. Update the Plugin: Ensure that the Easy Table of Contents plugin is updated to the latest version, where the vulnerability is patched.
  2. Sanitize Inputs: Implement robust input validation and sanitization to prevent malicious code from being accepted.
  3. Restrict Unfiltered HTML: Limit the use of the unfiltered_html capability to trusted users only, minimizing the risk of XSS exploits.
  4. Regular Security Audits: Conduct periodic security audits of plugins and themes to identify and address vulnerabilities proactively.
  5. Educate Users: Train users on the importance of security best practices, particularly those with elevated privileges.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-5442, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #Vulnerability

Use CleanTalk solutions to improve the security of your website

ARTYOM K.
CVE-2024-5442 – NextGEN Gallery – Stored XSS – POC

Leave a Reply

Your email address will not be published. Required fields are marked *