• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
WordPress Vulnerability Detail

Icegram Persistent Cross-Site Scripting

July 9, 2019John Castro

Exploitation Level: Very Easy/Remote

DREAD Score: 7

Vulnerability: Persistent Cross-site Scripting

Patched Version: 1.10.29

FacebookTwitterSubscribe

Icegram is a plugin that helps you collect email addresses for your newsletter. Other features include light-box popup offers, header action bars, toast notifications, and slide-in messengers.

Versions 1.10.28.2 and lower are affected by a persistent Cross-Site Scripting in the admin area. This plugin has over 40,000 installations and any attacker with a subscriber account can leverage this vulnerability.

We are not aware of any exploit attempts currently targeting this plugin, but all of our clients behind the website firewall are already protected.

Disclosure / Response Timeline:

  • June 06, 2019: Initial contact attempt.
  • July 09, 2019: Patch is live.

Technical Details

Using the check_for_gallery_items function, Icegram retrieves all of its gallery data from the official site: icegram[.]com.

Once collected, part of this data is serialized and stored with the option name ig_cat_list, as described in the function save_gallery_data:

The array is serialized in the function update_option()

To ensure that the gallery data is fully loaded, the code allows two options to gather the information from an external resource.

When the first option fails, an AJAX function is executed making use of the already defined action “save_gallery_data”.

As we can see from the first picture, the function save_gallery_data lacks permission checks on plugin settings update. This allows any registered user to arbitrarily import data inside the plugin option ig_cat_list. 

By providing an array with arbitrary data as categories, an attacker will be able to execute malicious JavaScript code in the admin area.

Update as Soon as Possible

Cross-site scripting (XSS) is a widespread vulnerability that allows an attacker to inject malicious content into a site. We’ve seen multiple malicious campaigns making use of this vulnerability for years now.

We strongly encourage Icegram users to update their plugin to version 1.10.29 as soon as possible. Users that are unable to update immediately can leverage the Sucuri Firewall (or equivalent technology) to virtually patch the vulnerability.

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, WordPress SecurityTags: WordPress Plugins and Themes, XSS

About John Castro

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.