CVE-2023-44393 - Reflected XSS in Piwigo’s Plugin Management (Explained With Exploit Code & Fix)

Piwigo is a popular open source photo gallery application used by photographers, organizations, schools, and others to manage, share, and display photos. In 2023, a critical security flaw, CVE-2023-44393, was discovered in its plugin management pages, specifically affecting admin users.

This post breaks down what the vulnerability is, how it can be exploited, and what you should do to protect yourself—using simple American English and original references.

What is CVE-2023-44393?

CVE-2023-44393 is a reflected cross-site scripting (XSS) vulnerability in Piwigo, present up to (but not including) 14..beta4. The problem is with the way the plugin_id parameter is handled on the URL:

/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]

If you’re logged in as *admin* and visit that URL with a malicious plugin_id value, the injected code runs in your browser as if it’s coming from the trusted Piwigo domain.

Why is it Dangerous?

- Targets Admins: Only admins, who can install plugins, are vulnerable. But that's very bad—an attacker could steal their cookies, create new admin users, or even install backdoors!

No Authentication Bypass Needed: The link just needs to be opened by a logged-in admin.

- Can Be Shared in Emails or Chat: A crafty hacker could trick an admin into clicking a carefully built URL.

What Causes the Problem?

Piwigo’s plugin installation screen at /admin.php doesn’t properly sanitize user input from plugin_id. That means special characters—even HTML or JavaScript—put in the URL are *injected* straight into the admin’s web page, and executed by the browser.

For example, the PHP backend might do something like

<?php
//...
echo "<div>Installation result for plugin: " . $_GET['plugin_id'] . "</div>";
//...
?>

If plugin_id is something harmless like watermark, no problem. But what if it’s JavaScript code?

Crafting an Exploit

Imagine you want to steal the admin’s cookie using JavaScript. Here’s a payload you could use as plugin_id:

"><script>alert(document.cookie)</script>

A *fully functional attack URL* would look like

https://your-piwigo-site.com/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

The plugin page loads.

- The code between <script>...</script> is executed *immediately*, so alert(document.cookie) pops up the admin’s cookie.

Attackers can go way beyond just showing a popup: they could send cookies to their own server, create hidden admin accounts, or do anything the admin can from the browser.

`

https://your-piwigo-site.com/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E

How to Fix It

The Piwigo team patched this issue in version 14..beta4.

Download latest secure version:

=> https://piwigo.org/downloads/

- If you *must* stick with old versions, sanitize plugin_id in your local source (e.g., use htmlspecialchars() on all echo’d variables from the URL).

Key References

- Official CVE Record for CVE-2023-44393
- Piwigo Security Advisories
- GitHub Patch Commit (see the fix)
- Piwigo Downloads

Conclusion

CVE-2023-44393 is a classic yet very dangerous reflected XSS, allowing attackers to run arbitrary code in an admin’s browser simply by sharing a link. If you’re running Piwigo and have not yet updated, *do so now!* Always keep up with security updates, especially for admin parts of internet-facing software.

Stay safe—patch regularly, and beware strange admin URLs!

If you're interested in more security how-tos or want a deeper look at this vulnerability, let us know in the comments.

Timeline

Published on: 10/09/2023 15:15:10 UTC
Last modified on: 10/13/2023 18:42:49 UTC