The United States government’s National Vulnerability Database published a notification of a vulnerability discovered in the official WordPress Gutenberg plugin. But according to the person who found it, WordPress is said to have not acknowledged it’s a vulnerability.
Stored Cross-Site Scripting (XSS) Vulnerability
XSS is a type of vulnerability that happens when someone can upload something like a script that wouldn’t ordinarily be allowed through a form or other method.
Most forms and other website inputs will validate that what’s being updated is expected and will filter out dangerous files.
An example is a form for uploading an image that fails to block an attacker from uploading a malicious script.
According to the non-profit Open Web Application Security Project, an organization focused on helping improve software security, this is what can happen with a successful XSS attack:
“An attacker can use XSS to send a malicious script to an unsuspecting user.
The end user’s browser has no way to know that the script should not be trusted, and will execute the script.
Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
These scripts can even rewrite the content of the HTML page.”
Common Vulnerabilities & Exposures – CVE
An organization named CVE serves as a way for documenting vulnerabilities and publicizing the discoveries to the public.
The organization, which the U.S. Department of Homeland Security supports, examines discoveries of vulnerabilities and, if accepted, will assign the vulnerability a CVE number that serves as the identification number of that specific vulnerability.
Discovery Of Vulnerability In Gutenberg
Security research discovered what was believed to be a vulnerability. The discovery was submitted to the CVE, and the discovery was approved and assigned a CVE ID number, making the discovery an official vulnerability.
The XSS vulnerability was given the ID number CVE-2022-33994.
The vulnerability report that was published on the CVE site contains this description:
“The Gutenberg plugin through 13.7.3 for WordPress allows stored XSS by the Contributor role via an SVG document to the “Insert from URL” feature.
NOTE: the XSS payload does not execute in the context of the WordPress instance’s domain; however, analogous attempts by low-privileged users to reference SVG documents are blocked by some similar products, and this behavioral difference might have security relevance to some WordPress site administrators.”
That means that someone with Contributor level privileges can cause a malicious file to be inserted into the website.
The way to do it is by inserting the image through a URL.
In Gutenberg, there are three ways to upload an image.
- Upload it
- Choose an existing image from the WordPress Media Libary
- Insert the image from a URL
That last method is where the vulnerability comes from because, according to the security researcher, one can upload an image with any extension file name to WordPress via a URL, which the upload feature does not allow.
Is It Really A Vulnerability?
The researcher reported the vulnerability to WordPress. But according to the person who discovered it, WordPress didn’t acknowledge it as a vulnerability.
This is what the researcher wrote:
“I found a Stored Cross Site Scripting vulnerability in WordPress that got rejected and got labeled as Informative by the WordPress Team.
Today is the 45th day since I reported the vulnerability and yet the vulnerability is not patched as of writing this…”
So it seems that there is a question as to whether WordPress is right and the U.S. Government-supported CVE foundation is wrong (or vice-versa) about whether this is an XSS vulnerability.
The researcher insists that this is a real vulnerability and offers the CVE acceptance to validate that claim.
Furthermore, the researcher implies or suggests that the situation where the WordPress Gutenberg plugin allows uploading images via a URL might not be a good practice, noting that other companies do not allow that kind of uploading.
“If this is so, then tell me why… …companies like Google and Slack went to the extent of validating files that are loaded over an URL and rejecting the files if they’re found to be SVG!
…Google and Slack… don’t allow SVG files to load over an URL, which WordPress does!”
What To Do?
WordPress hasn’t issued a fix for the vulnerability because they appear not to believe it is a vulnerability or one that presents a problem.
The official vulnerability report states that Gutenberg versions up to 13.7.3 contain the vulnerability.
But 13.7.3 is the most current version.
According to the official WordPress Gutenberg changelog that records all past changes and also publishes a description of future changes, there have been no fixes for this (alleged) vulnerability, and there are none planned.
So the question is whether or not there is something to fix.
U.S Government Vulnerability Database Report on the Vulnerability
Report Published on Official CVE Site
Read the Findings of the Researcher
Featured image by Shutterstock/Kues