CVE-2021-31693 - 10Web Photo Gallery Plugin for WordPress XSS Vulnerability (album_gallery_id_, bwg_album_search_, and type_)

The 10Web Photo Gallery plugin is a popular image gallery and portfolio plugin for WordPress websites. An XSS vulnerability has recently been discovered in versions up to and including 1.5.68. This vulnerability, dubbed CVE-2021-31693, allows attackers to inject malicious scripts into a WordPress website using album_gallery_id_, bwg_album_search_, and type_ for bwg_frontend_data.

This post will provide information on CVE-2021-31693, including the code snippet associated with the vulnerability, links to original references, and exploit details. It's important to note that CVE-2021-24291, CVE-2021-25041, and CVE-2021-46889 also affect the 10Web Photo Gallery plugin, but cover different parameters. Additionally, any VMware information previously associated with this CVE ID is the result of a typographical error and should instead be referred to as CVE-2022-31693.

Code Snippet

Below is a code snippet demonstrating the vulnerability in the 10Web Photo Gallery plugin. This snippet reveals the unsafe use of the album_gallery_id_, bwg_album_search_, and type_ parameters, which can be exploited for XSS attacks.

// 10Web Photo Gallery plugin (bwg_frontend_data)
$album_gallery_id = isset($_POST['album_gallery_id']) ? esc_html($_POST['album_gallery_id']) : ;
$bwg_album_search = isset($_POST['bwg_album_search']) ? esc_html($_POST['bwg_album_search']) : '';
$type = isset($_POST['type']) ? esc_html($_POST['type']) : 'album';

// Unsafe use of album_gallery_id_, bwg_album_search_, and type_ parameters
echo "<input type='hidden' id='album_gallery_id_' name='album_gallery_id' value='" . $album_gallery_id . "' />";
echo "<input type='hidden' id='bwg_album_search_' name='bwg_album_search' value='" . $bwg_album_search . "' />";
echo "<input type='hidden' id='type_' name='type' value='" . $type . "' />";

For more information on the vulnerability, refer to these original resources and official advisories

1. CVE-2021-31693 - National Vulnerability Database (NVD) Entry
2. Mitre's CVE Entry for CVE-2021-31693
3. 10Web Photo Gallery Plugin - WordPress Repository

Exploit Details

To exploit this vulnerability, an attacker can create a malicious payload and inject it into the website using the unsafe parameters. These payloads can include JavaScript code designed to steal user credentials, perform unauthorized actions, or even redirect users to other malicious sites.

To demonstrate this attack, an example payload for the bwg_album_search_ parameter is shown below

"><script>alert('XSS')</script>

By submitting this payload through the bwg_album_search_ parameter, an attacker can trigger an XSS alert on the affected WordPress website. This is a simple example, but more sophisticated payloads can lead to more dangerous consequences. It is crucial to update the 10Web Photo Gallery plugin to the latest version to prevent such attacks.

Conclusion

CVE-2021-31693 is a serious vulnerability affecting the 10Web Photo Gallery plugin for WordPress, with potentially damaging consequences for websites using the plugin. Website owners and administrators should ensure that their plugin is updated to the latest version to protect against this vulnerability. It is also vital to stay informed of any additional vulnerabilities and security issues related to the 10Web Photo Gallery plugin and other WordPress plugins, as they may also pose risks to your website's security.

Timeline

Published on: 11/29/2022 21:15:00 UTC
Last modified on: 06/07/2023 16:15:00 UTC