Skip to main content

Two new CVEs: FooGallery's WordPress plugin

Illustration of Two new CVEs: FooGallery's WordPress plugin
Robert Kruczek

Introduction

During some happy hunting, I found two XSS vulnerabilities in the FooGallery WordPress plugin (version 2.4.14), which made 50k instances vulnerable on the day of discovery! These can allow attackers to execute malicious code and gain unauthorized access to administrative functionalities. Below is a detailed explanation of these vulnerabilities and how they can be exploited.

Vulnerability 1: Stored XSS via Custom URL Field

The first vulnerability allows a user with Contributor permissions to modify an album with a gallery and set a “custom URL” containing malicious XSS code. For example, by entering:

Screenshot showing XSS payload

When an administrator accesses the edit page of the same element, the malicious code executes, displaying an alert with the JavaScript value 8. This type of Stored Cross-Site Scripting can be used to execute actions in the context of an administrator, potentially leading to further exploitation.

Proof of Concept

Here is an example HTTP request that demonstrates how a Contributor can save a custom URL with malicious code:

Screenshot showing HTTP request

The custom_url field is affected and allows the injection of malicious code.

Vulnerability 2: Stored XSS via Image Metadata

The second vulnerability affects users with permissions to edit gallery content (Author+). These users can modify the name of a single image by clicking on the “i” icon on the image. The modified content can include any JavaScript or HTML code, which is then displayed to other users editing the same image or accessing the gallery. If the WordPress admin dashboard panel displays a list of recent actions, it will also execute the injected code.

Proof of Concept

Here is an example HTTP request that demonstrates how an Author can inject malicious code into an image’s metadata:

Screenshot showing image metadata injection

The:

  • foogallery%5Btitle%5D
  • foogallery%5Balt-text%5D
  • foogallery%5Bcustom-url%5D
  • foogallery%5Bcustom-class%5D

fields are affected and allow the injection of malicious code:

Graphic showing affected fields

Conclusion

These vulnerabilities in the FooGallery WordPress plugin can lead to security issues, including unauthorized administrative access and further exploitation of the system. It is crucial to update to the latest version of the plugin.

By understanding these vulnerabilities and their potential impact, users can take proactive steps to secure their websites and protect against malicious activities.

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/foogallery/foogallery-2415-authenticated-contributor-stored-cross-site-scripting-via-gallery-custom-url

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/foogallery/foogallery-2414-authenticated-author-stored-cross-site-scripting

Other Insights

Illustration of How a simple vulnerability allowed proxying TCP traffic - real pentest case

How a simple vulnerability allowed proxying TCP traffic - real pentest case

Dariusz Tytko

During a penetration test for our client, it was discovered that the turn.example.com server, which is part of the tested application infrastructure, is vulnerable. This flaw allows for proxying TCP traffic through the server, enabling attacks on any host on the internet. Additionally, attackers could gain access to internal systems and their configurations, potentially compromising the entire infrastructure.

READ article
A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?

Happy to get a call or email
and help!

Contact Us