The United States government’s National Vulnerability Database recently notified the public about a vulnerability found in the official WordPress Gutenberg plugin. However, WordPress has reportedly not acknowledged it as a vulnerability according to the discoverer.
Stored Cross-Site Scripting (XSS) Vulnerability
XSS is a type of vulnerability that occurs when an attacker is able to upload a harmful script through a form or another method that typically would not allow such inputs.
Most forms and other website inputs validate and filter out dangerous files to prevent such uploads.
An example is a form meant for image uploads that fails to block a malicious script from being uploaded.
According to the Open Web Application Security Project (OWASP), an organization dedicated to improving software security, a successful XSS attack can lead to several issues:
“An attacker can use XSS to send a malicious script to an unsuspecting user.
The end user’s browser has no way to know that the script should not be trusted, and will execute the script.
Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
These scripts can even rewrite the content of the HTML page.”
Common Vulnerabilities & Exposures – CVE
CVE is an organization responsible for documenting and publicizing vulnerabilities. Supported by the U.S. Department of Homeland Security, the agency reviews discovered vulnerabilities and, if validated, assigns them a CVE number for identification.
Discovery Of Vulnerability In Gutenberg
A security researcher discovered what was believed to be a vulnerability and submitted the finding to CVE. The vulnerability was validated, given a CVE ID number, and thus formally recognized. The XSS vulnerability was assigned the ID number CVE-2022-33994.
The CVE site describes the vulnerability as follows:
“The Gutenberg plugin through 13.7.3 for WordPress allows stored XSS by the Contributor role via an SVG document to the ‘Insert from URL’ feature.
NOTE: the XSS payload does not execute in the context of the WordPress instance’s domain; however, analogous attempts by low-privileged users to reference SVG documents are blocked by some similar products, and this behavioral difference might have security relevance to some WordPress site administrators.”
This implies that someone with Contributor-level privileges can insert a malicious file into the website by uploading the file through a URL.
In Gutenberg, images can be uploaded in three ways:
- By uploading a file directly
- By selecting an existing image from the WordPress Media Library
- By inserting the image from a URL
The vulnerability arises from the last method because, according to the researcher, an attacker can upload an image with any file extension via a URL, bypassing the upload feature’s restrictions.
Is It Really A Vulnerability?
The researcher reported the finding to WordPress, but WordPress did not acknowledge it as a vulnerability. The researcher expressed frustration over this response:
“I found a Stored Cross Site Scripting vulnerability in WordPress that got rejected and got labeled as Informative by the WordPress Team.
Today is the 45th day since I reported the vulnerability and yet the vulnerability is not patched as of writing this…”
The discrepancy raises questions about whether WordPress or the U.S. Government-supported CVE foundation is correct regarding the classification of this issue as an XSS vulnerability. The researcher maintains that it is a genuine vulnerability and cites the CVE acceptance to support this claim. They also argue that allowing images to be uploaded via a URL is not a best practice and mention that other companies like Google and Slack do not permit such uploads:
“If this is so, then tell me why… companies like Google and Slack went to the extent of validating files that are loaded over an URL and rejecting the files if they’re found to be SVG!
…Google and Slack… don’t allow SVG files to load over an URL, which WordPress does!”
What To Do?
WordPress has not issued a fix for the vulnerability, as they do not deem it to be a problem. The official vulnerability report indicates that Gutenberg versions up to 13.7.3 are affected, which is the most current version. According to the official WordPress Gutenberg changelog, there have been no fixes for this alleged vulnerability, nor are there any planned.
The question remains whether there is indeed a vulnerability that needs fixing.
