CVE-2022-21831 An attacker can inject code in the Active Storage v5.2.0 code injection vulnerability to execute.

CVE-2022-21831 An attacker can inject code in the Active Storage v5.2.0 code injection vulnerability to execute.

An attacker would need to inject malicious code into Active Storage via image_processing arguments to exploit this vulnerability. Active Storage is an image processing plugin that allows a user to upload images to WordPress sites, enable image styles, and create image galleries. An attacker would need to submit a maliciously crafted image_processing argument to a user via a website to leverage the code injection vulnerability. When a user visits the website and subsequently clicks the “Add to Active Storage” button, the code injection occurs, which then allows the attacker to run arbitrary code on the server. The code injection occurs because the Active Storage plugin does not validate image_processing arguments, which allows attackers to inject malicious code into the WordPress site and execute it in the context of the website. There are no known workarounds at this time.

Vulnerability Details

An attacker would need to inject malicious code into Active Storage via image_processing arguments to exploit this vulnerability. Active Storage is an image processing plugin that allows a user to upload images to WordPress sites, enable image styles, and create image galleries. An attacker would need to submit a maliciously crafted image_processing argument to a user via a website to leverage the code injection vulnerability. When a user visits the website and subsequently clicks the “Add to Active Storage” button, the code injection occurs, which then allows the attacker to run arbitrary code on the server. The code injection occurs because the Active Storage plugin does not validate image_processing arguments, which allows attackers to inject malicious code into the WordPress site and execute it in the context of the website. There are no known workarounds at this time.

Vulnerability Discovery

The vulnerability was discovered by the research team of Trend Micro.

Vulnerability Finding Tips

If you're going to find vulnerabilities like this, it is important to remember that WordPress typically has a large number of plugins. It's easy to miss one that contains vulnerabilities like this if you don't know where to look for them. If you do find a plugin like this, the best way to identify its flaws is by using the plugin in question and making changes in browser developer tools. Eventually, you'll see the attack surface in XHR requests, which will tell you what information can be manipulated and what values can be sent via AJAX. The following code shows how an attacker might exploit a vulnerable plugin:
if (window.location && window.location == 'http://www.target-site') {
document.write(JSON.stringify({"name":"MyPlugin"}));
} else {
document.write('

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe