LightPress Lightbox <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group' Shortcode Attribute

This research plan outlines the process for exploiting a Stored Cross-Site Scripting (XSS) vulnerability in the LightPress Lightbox plugin (versions <= 2.3.4).

1. Vulnerability Summary

The LightPress Lightbox plugin is vulnerable to Stored XSS via the group attribute of the WordPress [gallery] shortcode. The plugin hooks into the post_gallery filter to capture the group attribute and subsequently modifies the HTML output (likely via the_content or by overriding the gallery output) to inject this value into the rel attribute of image links. Because the group value is concatenated into the HTML string without using esc_attr() or similar sanitization, an authenticated attacker with Contributor-level permissions can break out of the HTML attribute and inject arbitrary JavaScript.

2. Attack Vector Analysis

• Target Endpoint: Post/Page creation/editor (/wp-admin/post-new.php or REST API /wp/v2/posts).
• Vulnerable Component: The [gallery] shortcode processing logic.
• Vulnerable Parameter: The group attribute within the shortcode.
• Authentication Level: Contributor or higher (any role capable of using shortcodes in posts).
• Preconditions: The plugin must be active. A post containing the malicious shortcode must be published or previewed.

3. Code Flow

1. Entry Point: An authenticated user saves or previews a post containing: [gallery group='"><script>alert(1)</script>'].
2. Shortcode Handling: When the post is rendered, WordPress triggers the post_gallery filter.
3. Plugin Hook: In lightboxes/wp-jquery-lightbox/class-wp-jquery-lightbox.php, the constructor registers the filter:
   add_filter( 'post_gallery', array( $this, 'filter_groups' ), 10, 2 );
4. State Storage: The filter_groups function (or jqlb_filter_groups in legacy mode) extracts the group attribute:

   // In wp-jquery-lightbox-legacy.php
   function jqlb_filter_groups($output, $attr) {
       global $jqlb_group;
       if(isset($attr['group'])){
           $jqlb_group = $attr['group']; // Raw input assigned to global
       }
       return $output;
   }
   

5. Sink: The plugin later processes the content, likely in filter_content (registered at line 91 of class-wp-jquery-lightbox.php on the the_content hook). It searches for image links within the gallery and appends rel="lightbox[GROUP_VALUE]".
6. XSS Trigger: Because GROUP_VALUE (the group attribute) is not escaped with esc_attr(), the payload "><script>alert(1)</script> closes the rel attribute and the <a> tag, allowing the script to execute.

4. Nonce Acquisition Strategy

This vulnerability does not require a plugin-specific nonce for the execution phase, as the XSS is stored and executes when the page is viewed. However, the injection phase (saving the post) requires standard WordPress authentication and nonces.

Strategy for Automated Agent:

1. Use the wp_cli tool to create a post directly. This bypasses the need to manually extract CSRF nonces from the WordPress editor UI.
2. Alternatively, if using the UI via browser_navigate:
   • The _wpnonce and _wp_http_referer are standard in the post.php form.
   • No specialized wp_localize_script nonce is needed because we are not targeting an AJAX endpoint, but rather the shortcode rendering engine.

5. Exploitation Strategy

The exploitation will involve creating a post as a Contributor and then verifying the XSS as an unauthenticated visitor.

1. Login as Contributor: Authenticate as a user with the contributor role.
2. Upload Media (Optional but Recommended): Ensure at least one image exists in the media library so the [gallery] shortcode renders actual <a> tags.
3. Create Malicious Post: Use wp_cli to create a post containing the payload.
   • Payload: [gallery ids="1" group='"><script>alert(window.origin)</script>']
4. View Post: Use the http_request tool to navigate to the frontend URL of the newly created post.
5. Verify Payload Execution: Inspect the response body to confirm the presence of the unescaped script tag within the gallery HTML.

6. Test Data Setup

• User: A user with the username contributor_user and role contributor.
• Media: At least one attachment. We can use wp media import to add a placeholder image.
• Shortcode: [gallery ids="ID_HERE" group='"><img src=x onerror=alert(document.domain)>']

7. Expected Results

• The HTTP response for the post's frontend page should contain the string:
  rel="lightbox["><img src=x onerror=alert(document.domain)>]"
• The browser (if rendered) would trigger the alert.
• The raw HTML will show the rel attribute being prematurely closed by the "> characters in our payload.

8. Verification Steps

1. Check Post Content:
   wp post get <POST_ID> --field=post_content
2. Verify HTML Output:
   Use http_request to fetch the post and grep for the payload:
   grep -P 'rel="lightbox\["><script'
3. Confirm Lack of Escaping:
   Verify that the " and > characters are NOT converted to " and >.

9. Alternative Approaches

• Legacy Mode: If the plugin is configured to use the legacy file (JQLB_LEGACY constant set to true), target the jqlb_filter_groups function in lightboxes/wp-jquery-lightbox/wp-jquery-lightbox-legacy.php.
• Attribute Variations: If group is not reflected in rel, check for it in data-lightbox-group or other custom data attributes the plugin might use to categorize images.
• Comments XSS: The plugin also has a lightbox_comment filter (line 94 of class-wp-jquery-lightbox.php). If this filter uses the same lightbox_group logic, XSS might be possible via comment text if the plugin attempts to "lightbox" links within comments.