Found a vulnerability in the WordPress Gutenberg plugin?

The U.S. government’s National Vulnerability Database published a notification about a vulnerability found in the official WordPress Gutenberg plugin. But WordPress is said to have not acknowledged it as a vulnerability, according to the person who discovered it.

Stored Cross-Site Scripting (XSS) Vulnerability

XSS is a vulnerability that occurs when someone can upload through a form or other method something like a script that isn’t normally allowed.

Most form and other website inputs will validate that what is being updated is as expected and will filter out dangerous files.

An example is a form for uploading images that fails to prevent attackers from uploading malicious scripts.

According to the Open Web Application Security Project, a nonprofit focused on helping improve software security, a successful XSS attack can happen as follows:

“An attacker can use XSS to send malicious scripts to unsuspecting users.

The end user’s browser has no way of knowing that the script should not be trusted and will execute the script.

Because it believes the script is from a trusted source, a malicious script can access any cookies, session tokens, or other sensitive information that the browser retains and uses with the site.

These scripts can even rewrite the content of HTML pages. “

Common Vulnerabilities and Exposures – CVE

A group called CVE is used as a way to document vulnerabilities and publish findings to the public.

Backed by the U.S. Department of Homeland Security, the organization examines discovered vulnerabilities and, if accepted, assigns the vulnerability a CVE number that serves as an identification number for that particular vulnerability.

Vulnerability found in Gutenberg

Security research has uncovered what is believed to be a vulnerability. The discovery was submitted to CVE, which was approved and assigned a CVE ID number, making the discovery an official vulnerability.

The ID number for the XSS vulnerability is CVE-2022-33994.

The vulnerability report published on the CVE site contains the following description:

“The Gutenberg plugin for WordPress from 13.7.3 allows contributor roles to store XSS via SVG documents to the “Insert from URL” feature.

Note: XSS payloads do not execute in the context of the WordPress instance domain; however, some similar products prevent similar attempts by low-privileged users to reference SVG documents, and this behavioral difference may be security-related for some WordPress site administrators. “

This means that someone with contributor-level permissions could cause malicious files to be inserted into the site.

The way to do this is to insert an image via a URL.

In Gutenberg, there are three ways to upload images.

  1. upload
  2. Choose an existing image from the WordPress media library
  3. Insert image from URL

The last method is the source of the vulnerability, because according to the security researchers, it is possible to upload images with any extension filename to WordPress via URL, which the upload function does not allow.

Is it really a bug?

The researcher reported the vulnerability to WordPress. But WordPress did not admit it was a vulnerability, according to the person who discovered it.

Here’s what the researchers wrote:

“I discovered a stored cross-site scripting vulnerability in WordPress that was rejected by the WordPress team and marked as informative.

Today is my 45th day reporting this vulnerability, but as of this writing, it has not been patched…”

So there seems to be a question as to whether this is an XSS vulnerability, whether WordPress is right and the US government-backed CVE foundation is wrong (or vice versa).

The researchers maintain that this is a genuine vulnerability and provide a CVE acceptance to verify the claim.

Additionally, the researchers hinted or implied that it might not be a good practice for the WordPress Gutenberg plugin to allow uploading of images via URL, noting that other companies do not allow such uploads.

“If so, then please tell me why…companies like Google and Slack validate files loaded via URLs and reject them if they find them to be SVG!

…Google and Slack…don’t allow SVG files to be loaded via URL, WordPress does just that! “

What should I do?

WordPress has not released a fix for the vulnerability, as they don’t seem to believe it is a bug or a bug in question.

The official vulnerability report states that Gutenberg versions up to 13.7.3 contain the vulnerability.

But 13.7.3 is the latest version.

According to the official WordPress Gutenberg changelog, which documents all past changes and publishes descriptions of future changes, there is no fix for this (so-called) vulnerability, nor is it planned.

So the question is whether there is anything to fix.

Citation

U.S. Government Vulnerability Database reports on vulnerabilities

CVE-2022-33994 Details

Report published on the official CVE website

CVE-2022-33994 Details

Read the researchers’ findings

CVE-2022-33994:- XSS stored in WordPress


Featured Image by Shutterstock/Kues

window.addEventListener( ‘load’, function() {
setTimeout(function(){ striggerEvent( ‘load2’ ); }, 500);
});

window.addEventListener( ‘load2’, function() {

if( sopp != ‘yes’ && addtl_consent != ‘1~’ ){

!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window,document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);

if( typeof sopp !== “undefined” && sopp === ‘yes’ ){
fbq(‘dataProcessingOptions’, [‘LDU’], 1, 1000);
}else{
fbq(‘dataProcessingOptions’, []);
}

fbq(‘init’, ‘1321385257908563’);

fbq(‘track’, ‘PageView’);

fbq(‘trackSingle’, ‘1321385257908563’, ‘ViewContent’, {
content_name: ‘vulnerability-wordpress-gutenberg-plugin’,
content_category: ‘news wp’
});
}
});

Leave a Comment

Your email address will not be published.