Found a vulnerability in WordPress Gutenberg plugin?


The United States Government’s National Vulnerability Database has published a notice of a vulnerability discovered in the official WordPress Gutenberg plugin. But according to the person who found it, WordPress has reportedly not acknowledged the vulnerability.

Stored Cross-Site Scripting (XSS) Vulnerability.

XSS is a type of vulnerability that occurs when someone is able to upload something, like a script, that wouldn’t normally be allowed through a form or other method.

Most forms and other site inputs will confirm that what is being updated is what is expected and exclude dangerous files.

An example is an image upload form that fails to prevent an attacker from uploading a malicious script.

According to the nonprofit Open Web Application Security Project, an organization focused on helping improve software security, this can happen with a successful XSS attack:

“An attacker can use XSS to send a malicious script to an unsuspecting user.

The end user’s browser has no way of knowing that the script should not be trusted and will execute the script.

By thinking that the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information stored by the browser and used with that site.

These scripts can even overwrite the content of an HTML page.”

Common Vulnerabilities and Exposures – CVEs

An organization called CVE serves as a way to document vulnerabilities and make discoveries public.

An organization supported by the US Department of Homeland Security reviews vulnerability discoveries and, if accepted, will assign the vulnerability a CVE number, which serves as an identification number for that particular vulnerability.

Vulnerability discovered in Gutenberg

Security research has discovered a suspected vulnerability. The discovery has been submitted to CVE and the discovery has been approved and assigned a CVE ID number, making the discovery an official vulnerability.

The XSS vulnerability was given the ID number CVE-2022-33994.

Vulnerability report published on the CVE website contains this description:

“The Gutenberg plugin up to version 13.7.3 for WordPress allows the Contributor role to save XSS via an SVG document in the “Insert from URL” function.

NOTE: XSS payload is not executed in the domain context of the WordPress instance; however, analogous attempts by low-privileged users to reference SVG documents are blocked by some similar products, and this behavioral difference may be security-critical for some WordPress site administrators.”

This means that someone with associate-level privileges can cause a malicious file to be injected into a website.

You can do this by inserting the image via URL.

There are three ways to upload an image in Gutenberg.

  1. Upload it
  2. Select an existing image from the WordPress Media Library
  3. Insert image from URL

This last method is the source of the vulnerability because, according to the security researcher, you can upload an image with an arbitrary file name to WordPress via a URL, which the upload function does not allow.

Is this really a vulnerability?

A WordPress vulnerability was reported by a researcher. But according to the person who discovered it, WordPress didn’t acknowledge it as a vulnerability.

This is what the researcher wrote:

“I found a Stored Cross Site Scripting vulnerability in WordPress that was deprecated and marked as informational by the WordPress team.

Today is the 45th day since I reported the vulnerability, but the vulnerability has not been patched at the time of writing this…”

So there seems to be a question of whether WordPress is right and the US government-backed CVE Foundation is wrong (or vice versa) about whether this is an XSS vulnerability.

The researcher insists that this is a real vulnerability and offers a CVE admission to back up this claim.

Additionally, the researcher hints or suggests that the situation where the WordPress Gutenberg plugin allows images to be uploaded via URL may not be a good practice, noting that other companies do not allow this type of uploading.

“If that’s the case, then tell me why… …companies like Google and Slack have gone so far as to check files that are uploaded via a URL and reject files if they’re found to be SVG !

… Google and Slack … don’t allow uploading SVG files via URL, which WordPress does!”

What to do?

WordPress hasn’t released a patch for the vulnerability because they don’t seem to believe it’s a vulnerability or one that’s causing a problem.

The official vulnerability report states that Gutenberg versions up to 13.7.3 contain the vulnerability.

But 13.7.3 is the latest version.

According to the official WordPress Gutenberg changelog, which records all past changes and also publishes a description of future changes, there have been no fixes for this (alleged) vulnerability, and no fixes are planned.

So the question is whether something can be fixed or not.


US Government Vulnerability Database Report on Vulnerability

CVE-2022-33994 Detail

Report published on the official website of the CVE

CVE-2022-33994 Detail

Read the researcher’s findings

CVE-2022-33994:- Stored XSS in WordPress

Featured Image Shutterstock/Kues


Leave a Comment

error: Content is protected !!