The US government’s National Vulnerability Database has published a notice regarding vulnerabilities discovered in the official WordPress Gutenberg plugin. However, according to the person who found it, WordPress is said not to acknowledge that it is a vulnerability.
Stored Cross-Site Scripting (XSS) Vulnerability
XSS is a type of vulnerability that occurs when someone can upload something like a form or script that is not normally allowed.
Most forms and other website inputs are validated for expected updates and filtered out dangerous files.
An example is a form that uploads an image that cannot block an attacker from uploading a malicious script.
According to the non-profit Open Web Application Security Project, an organization that helps improve software security, a successful XSS attack can:
“XSS can be used by attackers to send malicious scripts to unsuspecting users.
The end user’s browser has no way of knowing that the script should not be trusted and will execute it.
Malicious scripts can access cookies, session tokens, or other sensitive information held by the browser and used by the site because the script is assumed to be from a trusted source.
These scripts can even rewrite the content of HTML pages. ”
Common Vulnerabilities and Exposures – CVE
An organization named CVE serves as a way of documenting vulnerabilities and disseminating findings to the public.
Organizations supported by the U.S. Department of Homeland Security investigate vulnerability findings and, if accepted, assign the vulnerability a CVE number that serves as an identification number for that particular vulnerability.
Gutenberg Vulnerability Discovered
Security research has uncovered what appears to be a vulnerability. The discovery was submitted to his CVE, the discovery was approved, a CVE ID number was assigned, and the discovery became an official vulnerability.
The XSS vulnerability has been given the ID number CVE-2022-33994.
A vulnerability report published on the CVE site contains the following description:
“The Gutenberg plugin for WordPress up to 13.7.3 allows the ‘Insert from URL’ feature to XSS saved by the Contributor role via an SVG document.
Note: XSS payloads are not executed in the context of the WordPress instance’s domain. However, similar attempts by a low-privileged user to view his SVG documents have been blocked by some similar products, and this difference in behavior could prove a security risk to some of his WordPress site administrators. It may be related. ”
This means that someone with contributor-level privileges could inject malicious files into your website.
The way to do that is to insert an image from a URL.
Gutenberg offers three ways to upload images.
- to upload
- Select an existing image from your WordPress media library
- Insert image from URL
According to security researchers, this last method is the source of the vulnerability because it allows images with filenames with arbitrary extensions to be uploaded to WordPress via URLs that are not allowed in the upload feature.
Is it really a vulnerability?
Researchers reported this vulnerability to WordPress. However, according to the person who discovered it, WordPress didn’t recognize it as a vulnerability.
This is what the researcher wrote:
“We discovered a stored cross-site scripting vulnerability in WordPress, which was dismissed and labeled as beneficial by the WordPress team.
Today is the 45th day since I reported the vulnerability, and as of this writing, the vulnerability has not yet been patched…”
So there seems to be a question whether WordPress is right and the US government-backed CVE Foundation is wrong (or vice versa) as to whether this is an XSS vulnerability.
Researchers claim that this is a real vulnerability and provide CVE approval to verify their claims.
Additionally, the researcher hints or suggests that allowing the WordPress Gutenberg plugin to upload images via a URL may not be good practice, and other companies may not allow such uploads. I am pointing out that it is not allowed.
“If so, please tell me why… …companies such as Google and Slack go so far as to validate files loaded via URLs and reject them if they are found to be SVG. was there!
…Google and Slack… don’t allow SVG files to be loaded via URL, but WordPress does!”
What should I do?
WordPress does not appear to consider this vulnerability to be a vulnerability or a problem-causing vulnerability, and has not issued a patch for it.
The official vulnerability report states that Gutenberg versions up to 13.7.3 contain the vulnerability.
However, 13.7.3 is the latest version.
According to the official WordPress Gutenberg changelog, which documents all past changes and also publishes a description of future changes, no fixes have been made or planned for this (alleged) vulnerability.
So the question is, is there anything to fix?
Quote
U.S. Government Vulnerability Database Report on Vulnerability
CVE-2022-33994 Details
Report published on official CVE site
CVE-2022-33994 Details
Read the researcher’s findings
CVE-2022-33994:- XSS stored in WordPress
Featured image from Shutterstock/Kues
