A high-severity Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2020-9334, exists in a popular WordPress plugin called Envira Photo Gallery, rendering over 100,000 websites vulnerable to phishing attacks, stealing administrator’s session tokens, etc.

In this Blog-post, we will cover what caused the flaw, an example Proof-Of-Concept showing exploitation in a sandbox environment, and mitigation steps.

What is the Envira Photo Gallery Plugin ?

According to the official documentation of the plugin,

We believe that you shouldn’t have to hire a developer to create a WordPress gallery. That’s why we built Envira, a drag & drop photo gallery plugin that’s both EASY, FAST and POWERFUL.

What is the vulnerability and how does it work ?

The National Vulnerability Database(NVD) describes CVE-2020–9334 as,

A stored XSS vulnerability exists in the Envira Photo Gallery plugin through 1.7.6 for WordPress. Successful exploitation of this vulnerability would allow a authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users.

I will explain this in 4 simple steps:

The plugin provides an authenticated user a drag & drop photo gallery feature in the control panel, If a malicious user were to inject some JavaScript code in “Title” field while uploading an image, there being no sanitization of user input, the malicious JavaScript code would be stored in the database along with the image, when any authenticated user would visit the plugin’s gallery, the malicious JavaScript code will be executed.

Therefore, successful exploitation of the CVE-2020-9334 may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Proof Of Concept

Here, I am going to do a local setup of WordPress to show a Proof-Of-Concept exploitation. I will use Envira v1.6.17 to show the vulnerability since the bug has been patched in v1.7.7.

We download, import, install, and then activate the plugin.

Envira Plugin activated

2. Now we go into the “Envira Gallery” tab from the sidebar and create a new gallery by clicking on the “Add New” button,

3. Give the new gallery a name and upload any image to it,

4. Now click on the pencil icon displayed on the image you just added (as shown below),

Image we just added to our gallery

5. A dialog box should pop up. Here’s where it gets fun, Input an XSS vector in the “Title” Field,

XSS Vector

Note: <svg/onload=alert(“CVE-2020–9334”)> will trigger a dialog on the website. This is just for demonstration purpose to confirm that our XSS vector was infact injected. A malicious user can, in a similar way, execute any JavaScript code.

6. Now save the changes and click on “Update” button,

7. As soon as any other authenticated user visits the gallery page, the JavaScript code we injected would be executed.