CVE-2015-9537: XSS in NextGEN Gallery Plugin

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Multiple XSS vulnerabilities was identified on the WordPress NextGen Gallery plugin before 2.1.10, involving thumbnail_width, thumbnail_height, thumbwidth, thumbheight, wmXpos, and wmYpos, and template.

Vendor: NextGen
Affected Product: NextGen Gallery
CVE: CVE-2015-9537
Securin ID: 2015-CSW-08-1002
Status: Fixed
Date: August 31, 2015
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

Visit the following page on a site with the plugin installed. http://wordpresssite.com/wordpress/wp-admin/admin.php?page=nggallery-manage-gallery&mode=edit&gid=1&paged=1 and modify the value of path variable in NextGEN Gallery Photocrati Version 2.1.10 with’></script><script>alert(document.cookie);</script> payload and save it to view further. Now, the added XSS payload is executed whenever the user reviews it.

PoC · Exploitation Steps▲ trigger

01Note: XSS payload has been tried with the application once after implementing Unfiltered Html Settings as defined to the wp-config.php file02Figure 01: HTTP Request & response for the vulnerable variable photocrati-nextgen_basic_thumbnails[thumbnail_width]03Figure 02: HTTP Request & response for the vulnerable variable thumbnail_settings[thumbwidth]04Figure 03: XSS response executed in the browser

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can inject malicious code into the scope of vulnerable variables to a managed gallery page by providing XSS payload as a value.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the latest updated version of the Nextgen plugin and apply the patch as per vendor advisory.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-9537, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Aug 31, 2015

Discovered in NextGen Gallery 2.1.7 version.

Aug 31, 2015

Reported to WP Plugin.

Sep 01, 2015

Fixed in 2.1.10 version of NextGen Gallery.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2015-9537

nvd.nist.gov/vuln/detail/CVE-2015-9537 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: NextGen
Affected Product: NextGen Gallery
CVE: CVE-2015-9537
Securin ID: 2015-CSW-08-1002
Status: Fixed
Date: August 31, 2015
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can inject malicious code into the scope of vulnerable variables to a managed gallery page by providing XSS payload as a value.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the latest updated version of the Nextgen plugin and apply the patch as per vendor advisory.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2015-9537, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Aug 31, 2015

Discovered in NextGen Gallery 2.1.7 version.

Aug 31, 2015

Reported to WP Plugin.

Sep 01, 2015

Fixed in 2.1.10 version of NextGen Gallery.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2015-9537

nvd.nist.gov/vuln/detail/CVE-2015-9537 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Multiple Cross Site Scripting in NextGen Gallery

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in NextGen Gallery 2.1.7 version.

Reported to WP Plugin.

Fixed in 2.1.10 version of NextGen Gallery.

Cite, verify, go deeper.

NVD — CVE-2015-9537

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Cross Site Scripting in NextGen Gallery

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in NextGen Gallery 2.1.7 version.

Reported to WP Plugin.

Fixed in 2.1.10 version of NextGen Gallery.

Cite, verify, go deeper.

NVD — CVE-2015-9537

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Cross Site Scripting in NextGen Gallery

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in NextGen Gallery 2.1.7 version.

Reported to WP Plugin.

Fixed in 2.1.10 version of NextGen Gallery.

Cite, verify, go deeper.

NVD — CVE-2015-9537

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Cross Site Scripting in NextGen Gallery

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in NextGen Gallery 2.1.7 version.

Reported to WP Plugin.

Fixed in 2.1.10 version of NextGen Gallery.

Cite, verify, go deeper.

NVD — CVE-2015-9537

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.