One of the elements of the inappropriate behavior of the moderators of the WordPress Support Forum that has lead us to full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up has been to delete messages about vulnerabilities in WordPress plugins while doing nothing to get them fixed. We don’t know how they think this is a good idea since it just limits getting things fixed, which is what is the important thing to do about vulnerabilities, while not actually hiding the vulnerabilities.

Sometimes things get even odder, as once again we ran across the moderator Steven Stern (sterndata) delete a topic well after it would even seem to do much, if any, good. The last time we ran across them doing that it probably slowed down getting a vulnerability fixed that was claimed to be being exploited already (but likely wasn’t actually being exploited). If it was really already being exploited then the horse is already well out of the barn and by the time they deleted it, the topic had been up for a couple of days, so others had plenty of time to have seen it, which would make getting it fixed quickly what should have been focused on instead of making that harder. In this instance they deleted a topic on something that isn’t even really a vulnerability, as the developer had explained at the time, over a month after it was posted. What good they think that will do to delete that we don’t know. Before we realized that we had actually seen the earlier claims and concluded there really wasn’t an issue, we went to see what might be at issue with the plugin and found a real vulnerability. So their action is actually causing a real vulnerability to be full disclosed, which is exactly the kind of counterproductive behavior the moderators excel in.

The title of the deleted topic is “XSS vulnerability in FooGallery -1.4.31 Plugin For WordPress”.  There are several different variants of cross-site scripting (XSS), so there are a number of things that we could have looked at to try to find the vulnerability being referred to or some other vulnerability of that type. It only took us several minutes to find an authenticated persistent cross-site scripting (XSS) vulnerability in the plugin, which is concerning considering the plugin has 100,000+ active installs and the vulnerability has been in the plugin for nearly four years without being noticed.

The plugin allows users down to the Contributor-level to create new galleries. One of the settings for those is Custom CSS. That isn’t sanitized when saved and isn’t escaped when output on frontend pages or admin pages, which leads to an authenticated persistent cross-site scripting (XSS) vulnerability. It wouldn’t be safe to assume that is the only security issue in the plugin, considering the ease we had spotting that and the security failures that lead to it.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. Hopefully they will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

Underlying Code

The lack of sanitizing occurs in the function save_gallery() in the file /includes/admin/class-gallery-metaboxes.php:

189
190
191
192
193
194
195
196

$custom_css = isset($_POST[FOOGALLERY_META_CUSTOM_CSS]) ?
	$_POST[FOOGALLERY_META_CUSTOM_CSS] : '';
 
if ( empty( $custom_css ) ) {
	delete_post_meta( $post_id, FOOGALLERY_META_CUSTOM_CSS );
} else {
	update_post_meta( $post_id, FOOGALLERY_META_CUSTOM_CSS, $custom_css );
}

The unsanitized value is then output on the editing page without being escaped in the function render_customcss_metabox() later in that file:

<textarea class="foogallery_metabox_custom_css" name="<?php echo FOOGALLERY_META_CUSTOM_CSS; ?>" type="text"><?php echo $custom_css; ?></textarea>

Proof of Concept

When logged in as a Contributor level, create a gallery with the Custom CSS set to “</textarea><script>alert(“XSS”);</script>” and then submit it for review. When returning to the editing page for the gallery an alert box with the message “XSS” will be shown.

Concerned About The Security of the Plugins You Use?