Securin Zero-Days

CVE-2015-9537 – Multiple Cross Site Scripting in NextGen Gallery

Severity:High

Vendor

NextGen

Affected Product

NextGen Gallery

CVE

CVE-2015-9537

Securin ID

2015-CSW-08-1002

Status

Fixed

Date

August 31, 2015

Description

Multiple XSS vulnerabilities was identified on the WordPress NextGen Gallery plugin before 2.1.10, involving thumbnail_width, thumbnail_height, thumbwidth, thumbheight, wmXpos, and wmYpos, and template. 

Proof of Concept (POC):

Visit the following page on a site with the plugin installed. http://wordpresssite.com/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1 and modify the value of path variable in NextGEN Gallery Photocrati Version 2.1.10 with’></script><script>alert(document.cookie);</script> payload and save it to view further. Now, the added XSS payload is executed whenever the user reviews it.

Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to the wp-config.php file

Figure 01: HTTP Request & response for the vulnerable variable photocrati-nextgen_basic_thumbnails[thumbnail_width]

Figure 02: HTTP Request & response for the vulnerable variable thumbnail_settings[thumbwidth]

Figure 03: XSS response executed in the browser

Impact

An attacker can inject malicious code into the scope of vulnerable variables to a managed gallery page by providing XSS payload as a value.

Remediations

Download the latest updated version of the Nextgen plugin and apply the patch as per vendor advisory.

Timeline

Aug 31, 2015: Discovered in NextGen Gallery 2.1.7 version.
Aug 31, 2015: Reported to WP Plugin.
Sep 01, 2015: Fixed in 2.1.10 version of NextGen Gallery. 

Let Securin level up your security posture!