27 Sep

Not Really a WordPress Plugin Vulnerability, Week of September 27

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Stored Cross-Site Scripting (XSS) in Easy FancyBox

One of the changelog entries for the latest version of Easy FancyBox is “SECURITY FIX: failing color value sanitization, issue reported by Jakob Hagl sba-research.org, CVE-2019-16524”. When we noticed that changelog we went to figure out what was at issue and it looked like there wasn’t actually a vulnerability. That was confirmed by the report claiming there was one. The proof of concept for that starts with this:

An attacker can exploit this vulnerability by, firstly having access to the Settings > Media page within the administrative portal and secondly setting as $titleColor the following string:

That is a page that is normally only accessible by Administrators and those users are normally permitted to do the equivalent of cross-site scripting (XSS) due to having the unfiltered_html capability, they also can take other actions that would do the equivalent what could be done with this, say installing another plugin.