Not Really a WordPress Plugin Vulnerability, Week of May 10
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.
Cross-Site Scripting (XSS) in NextGen Gallery
Our firewall plugin has been blocking attempts trying to exploit what at least one hacker believes to be a vulnerability in the plugin NextGen Gallery, where the attempt looks like this:
/wp-content/plugins/nextgen-gallery/nggallery.php?test-head=</script><script>alert(document.domain)</script>th
That appears to be related to a report of a claimed vulnerability from 2013, which claimed the vulnerability existed in version 1.9.10 of the plugin. There are a couple of big problems with the claim of a vulnerability. If you access the URL that is supposed to be exploitable, you get shown a message “You are not allowed to call this page directly.”, which corresponds with the first code in the file being called:
29 | if(preg_match('#' . basename(__FILE__) . '#', $_SERVER['PHP_SELF'])) { die('You are not allowed to call this page directly.'); } |
That causes it to exit before any other code is run.
Even if that were not there, the user input that would need to be output for there to be a vulnerability isn’t output, but simply checked if it exists:
556 557 | if ( isset( $_GET['test-head'] ) ) add_action( 'wp_head', create_function('', 'echo \'<!--wp_head-->\';'), 99999 ); |