Vulnerability found in the WordPress Gutenberg plugin?


The US Government’s National Vulnerability Database has published a notification of a vulnerability discovered in the official WordPress Gutenberg plugin. But according to the person who found it, WordPress didn’t recognize it was a vulnerability.

Stored Cross-Site Scripting (XSS) Vulnerability

XSS is a type of vulnerability that occurs when someone can upload something like a script that wouldn’t normally be authorized through a form or other method.

Most forms and other website entries will validate that what’s updated is expected and filter out dangerous files.

An example is a form to upload an image that fails to prevent an attacker from uploading a malicious script.

According to the nonprofit Open Web Application Security Project, an organization whose goal is to help improve software security, here’s what can happen with a successful XSS attack:

“An attacker can use XSS to send a malicious script to an unsuspecting user.

The end user’s browser has no way of knowing that the script should not be trusted and will run the script.

Because it believes the script to be from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information stored by the browser and used with this site.

These scripts can even rewrite the content of the HTML page.

Common Vulnerabilities and Exposures – CVE

An organization called CVE serves as a means of documenting vulnerabilities and communicating findings to the public.

The organization, backed by the US Department of Homeland Security, reviews vulnerability findings and, if accepted, assigns the vulnerability a CVE number that serves as the identification number for that specific vulnerability.

Discovery of a vulnerability in Gutenberg

Security research discovered what was believed to be a vulnerability. The discovery was submitted to CVE, and the discovery was approved and given a CVE ID number, making the discovery an official vulnerability.

The XSS vulnerability has been assigned the identification number CVE-2022-33994.

The vulnerability report that was posted on the CVE site contains this description:

“Gutenberg plugin via 13.7.3 for WordPress allows XSS stored by the Contributor role via an SVG document from the “Insert from URL” function.

NOTE: The XSS payload does not run in the context of the WordPress instance domain; however, similar attempts by low-privileged users to reference SVG documents are blocked by some similar products, and this difference in behavior might have security relevance for some WordPress site administrators.

This means that someone with Contributor level privileges can cause a malicious file to be inserted into the website.

The way to do this is to insert the image via a URL.

In Gutenberg, there are three ways to upload an image.

  1. To download
  2. Choose an existing image from the WordPress media library
  3. Insert image from URL

This last method is the source of the vulnerability because, according to the security researcher, one can upload an image with any extension filename to WordPress via a URL, which the upload feature does not allow. .

Is it really a vulnerability?

The researcher reported the vulnerability to WordPress. But according to the person who discovered it, WordPress didn’t recognize it as a vulnerability.

Here is what the researcher wrote:

“I found a Stored Cross Site Scripting vulnerability in WordPress which has been dismissed and tagged as Informative by the WordPress team.

Today is the 45th day since I reported the vulnerability and yet the vulnerability is not patched as of this writing…”

So it seems there is a question of whether WordPress is right and the US government-backed CVE Foundation is wrong (or vice-versa) about whether this is an XSS vulnerability.

The researcher insists that this is a real vulnerability and offers CVE acceptance to validate this claim.

Additionally, the researcher implies or suggests that the situation where the WordPress Gutenberg plugin allows images to be uploaded via URL might not be a good practice, noting that other companies do not allow this type of upload.

“If so, then tell me why… …companies like Google and Slack have gone so far as to validate files that are uploaded to a URL and reject the files if they turn out to be SVG!”

…Google and Slack… do not allow SVG files to be uploaded to a URL, but WordPress does!

What to do?

WordPress has not released a patch for the vulnerability as they don’t seem to believe it is a vulnerability or a vulnerability that is causing a problem.

The official vulnerability report states that Gutenberg versions up to 13.7.3 contain the vulnerability.

But 13.7.3 is the most recent version.

According to the official WordPress Gutenberg changelog which records all past changes and also publishes a description of future changes, there have been no fixes for this (alleged) vulnerability, and none are planned.

The question is therefore whether there is something to correct or not.

Quotes

US Government Vulnerability Database Report on Vulnerability

CVE-2022-33994 Detail

Report published on the official CVE website

CVE-2022-33994 Detail

Read the researcher’s findings

CVE-2022-33994: – XSS stored in WordPress


Featured image by Shutterstock/Kues


Add Comment