[Private] Urgent Security Vulnerability Discovery in Post Grid Gutenberg Blocks.

Subject: Urgent Security Vulnerability Discovery in Post Grid Gutenberg Blocks.

Dear Post Grid Gutenberg Blocks team,

I hope this email finds you well. My name is Dmitrii, and I work as a penetration tester in CleanTalk inc. I am writing to inform you about a critical security vulnerability that I recently discovered in your WordPress plugin, Post Grid Gutenberg Blocks.

During my routine security assessment of popular WordPress plugins, I came across a flaw in your plugin that could potentially expose websites to unauthorized access, data breaches, or other malicious activities. Given the severity of this vulnerability, I believe it is of utmost importance to address this issue promptly.

Here are the details of the vulnerability:

Vulnerability Type: Stored XSS to Admin Account Creation (Contributor+)
Affected Plugin Version(s): 2.2.92
Slug: https://wordpress.org/plugins/post-grid/
Description: In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the contributor by embedding the shortcode in a new post, which entails admin account creation

POC payload: *DELETED BY WORDFENCE*

POC video: https://drive.google.com/file/d/1Zsli3IszDMb1Q3tIVerrvFxc8fx30-Z3/view?usp=sharing

1) Sensitive Data Exposure through Phishing:
Impact: Attackers can exploit the vulnerability to launch phishing attacks, tricking users into revealing sensitive information.
Attack: Malicious actors embed the shortcode in a post containing a fake login form, capturing users' credentials and leading to unauthorized access.
2) Malicious Content Injection and Defacement:
Impact: Attackers can deface websites by injecting malicious content, damaging the site's reputation and user trust.
Attack: By embedding the shortcode, attackers insert offensive or harmful content into posts visible to visitors, tarnishing the website's image.
3) Cookie Theft and Session Hijacking:
Impact: Attackers can steal user cookies and hijack active sessions, gaining unauthorized access to user accounts.
Attack: The vulnerability allows attackers to inject a script that captures users' cookies, enabling them to impersonate legitimate users and perform actions on their behalf.
4) Account Takeover and Data Manipulation:
Impact: Attackers can take control of user accounts and manipulate data, causing confusion and potential harm.
Attack: Malicious contributors embed the shortcode to modify or delete content within other users' posts, leading to content manipulation and loss of data integrity.
5) Propagation of Malicious Content:
Impact: Attackers can exploit the vulnerability to spread malware or malicious code to a wider audience.
Attack: By embedding the malicious shortcode in popular posts, attackers can infect a large number of users' browsers with malware, potentially leading to further compromise.
I understand that maintaining the security and integrity of your plugin is a top priority for you, and I am reaching out to collaborate with you in resolving this issue. My intention is to work together to ensure that all affected users can safely continue using your plugin without the risk of exploitation.

To aid the resolution process, I am prepared to assist you by:

-Providing a detailed vulnerability report that includes step-by-step instructions to reproduce and validate the vulnerability.
-Offering guidance and suggestions for mitigating the vulnerability effectively.

I strongly recommend that you take immediate action to investigate and address this vulnerability to protect your users and maintain the trust they have placed in your plugin. It would be beneficial to establish a line of communication to discuss the specifics of the vulnerability and collaborate on the remediation efforts.

Thank you for your attention to this matter. I look forward to hearing from you soon.

In response to this message, I would like to know how long you will be able to fix the vulnerability?

I would be grateful if, with the new version, not only cleantalk was specified in the fixes, but also Dmitrii Ignatyev 🙂

Sincerely,
Dmitrii - Penetration Tester