oss-sec mailing list archives
[SBA-ADV-20190911-01] CVE-2019-16524: Easy FancyBox Wordpress Plugin 1.8.17 or below Stored Cross-site Scripting (XSS)
From: SBA Research Advisory <advisory () sba-research org>
Date: Wed, 25 Sep 2019 13:56:52 +0200
# Easy FancyBox Wordpress Plugin Stored Cross-site Scripting (XSS) # Link: https://github.com/sbaresearch/advisories/tree/public/2019/SBA-ADV-20190911-01_Easy_FancyBox_WP_Plugin_Stored_XSS ## Vulnerability Overview ## The Easy FancyBox WordPress Plugin Version 1.8.17 is susceptible to Stored Cross-site Scripting in the Settings > Media admin page `/wp-admin/options-media.php` due to improper encoding of arbitrarily submitted setting parameters. The vulnerability affects every publicly accessible page of the WordPress site. * **Identifier** : SBA-ADV-2010911-01 * **Type of Vulnerability** : Cross-site Scripting * **Software/Product Name** : [Easy FancyBox](https://wordpress.org/plugins/easy-fancybox/) * **Vendor** : [RavanH](https://status301.net/) * **Affected Versions** : <= 1.8.17 * **Fixed in Version** : 1.8.18 * **CVE ID** : CVE-2019-16524 * **CVSSv3 Vector** : AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N * **CVSSv3 Base Score** : 3.5 (Low) ## Vendor Description ##
Easy FancyBox plugin for WordPress websites gives you a flexible and aesthetic light box solution for just about all media links on your website. Easy FancyBox uses an updated version of the traditional FancyBox jQuery extension and is WP 3+ Multi-Site compatible. After activation you can find a new section FancyBox on your Settings > Media admin page where you can manage the media light box options.
Source: <https://wordpress.org/plugins/easy-fancybox/> ## Impact ## By exploiting the documented vulnerability, an attacker can execute JavaScript code in a victim's browser within the origin of the target site. This can be misused, for example, by taking over future administrative web management sessions. ## Vulnerability Description ## Several parameters of the file `/inc/class-easyfancybox.php` are affected by stored cross-site scripting vulnerabilities. The file is a part of the Settings > Media admin page of the WordPress instance. These setting parameters are embedded in CSS blocks without encoding or sanitization, that are sent to the client's browser. The style sheet is sent along with every publicly accessible page, no matter if the plugin is needed on some pages or not. For example, the following parameters are vulnerable: * `/inc/class-easyfancybox.php` * fancybox_titleColor * fancybox_paddingColor There are many more vulnerable parameters, the above listed are given only as an example. The vulnerabilities are located in `/inc/class-easyfancybox.php`: ```php [...] if ( !empty($paddingColor) ) $content_style .= 'border-color:'.$paddingColor.';'; [...] if ( !empty($titleColor) ) $styles .= '#fancybox-title,#fancybox-title-float-main{color:'.$titleColor.'}'; [...] ``` As the above code snippet shows, the parameters `$paddingColor` and `$titleColor` contains user input and is concatenated into `$content_style` or respectively `$styles` without performing any sanitization or escaping. ## Proof of Concept ## An attacker can exploit this vulnerability by, firstly having access to the `Settings > Media page` within the administrative portal and secondly setting as `$titleColor` the following string: ```text #44}</style><img src="" onerror="alert(1)"> ``` This leads to the following HTML response (shortened for readability): ```html <style id='fancybox-inline-css' type='text/css'> #fancybox-title,#fancybox-title-float-main{color:#44}</style><img src="" onerror="alert(1)">} </style> ``` ## Recommended Countermeasures ## We recommend strictly whitelisting the user input before it is being used. The only allowed characters should be alphanumeric characters and the hash sign. ## Timeline ## * `2019-09-11` Identified the vulnerability in version 1.8.17 * `2019-09-11` Contacted the vendor via support * `2019-09-16` Vendor closed the vulnerability in version 1.8.18 * `2019-09-23` Publication of CVE-2019-16524 ## References ## * ([Easy Fancybox Plugin Page](https://wordpress.org/plugins/easy-fancybox/)) ## Credits ## * Jakob Hagl ([SBA Research](https://www.sba-research.org/))
Attachment:
0xFBB8862F58F775B2.asc
Description:
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [SBA-ADV-20190911-01] CVE-2019-16524: Easy FancyBox Wordpress Plugin 1.8.17 or below Stored Cross-site Scripting (XSS) SBA Research Advisory (Sep 25)