A high-severity Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2020-9334, exists in a popular WordPress plugin called Envira Photo Gallery, rendering over 100,000 websites vulnerable to phishing attacks, stealing administrator’s session tokens, etc.
In this Blog-post, we will cover what caused the flaw, an example Proof-Of-Concept showing exploitation in a sandbox environment, and mitigation steps.
What is the Envira Photo Gallery Plugin ?
According to the official documentation of the plugin,
We believe that you shouldn’t have to hire a developer to create a WordPress gallery. That’s why we built Envira, a drag & drop photo gallery plugin that’s both EASY, FAST and POWERFUL.
What is the vulnerability and how does it work ?
The National Vulnerability Database(NVD) describes CVE-2020–9334 as,
I will explain this in 4 simple steps:
- The plugin provides an authenticated user a drag & drop photo gallery feature in the control panel,
Therefore, successful exploitation of the CVE-2020-9334 may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Proof Of Concept
Here, I am going to do a local setup of WordPress to show a Proof-Of-Concept exploitation. I will use Envira v1.6.17 to show the vulnerability since the bug has been patched in v1.7.7.
- We download, import, install, and then activate the plugin.
2. Now we go into the “Envira Gallery” tab from the sidebar and create a new gallery by clicking on the “Add New” button,
3. Give the new gallery a name and upload any image to it,
4. Now click on the pencil icon displayed on the image you just added (as shown below),
5. A dialog box should pop up. Here’s where it gets fun, Input an XSS vector in the “Title” Field,
6. Now save the changes and click on “Update” button,
An attacker can use XSS to send a malicious script to an unsuspecting user. In this case, an administrator. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. It can also be used to redirect the victim to a malicious site (for phishing or stealing information).
How to resolve this Envira Gallery vulnerability?
This is very simple. Navigate to your WordPress plugin section and update the plugin to the newest version — v1.7.7 (at the time of writing this blog).
We would also recommend scanning and monitoring your WordPress website with WPSec.
Vulnerabilities similar to this are found often. As such we recommend all users to keep on top of updates either by updating manually, or by activating automatic updates.
Blog post written by Eshaan Bansal.