Photo Gallery < 1.8.34 – Unauthenticated Stored XSS | CVE 2025-0613

Description

The plugin does not sanitised and escaped comment added on images by unauthenticated users, leading to an Unauthenticated Stored-XSS attack when comments are displayed

Proof of Concept

### Set up the plugin

The following steps will guide you through setting up the plugin:

1. Install and activate the `photo-gallery` plugin

2. Unlock the premium features by either
   a. Buying a licence
   b. Flipping the boolean `public $is_pro = FALSE;` on line 52 of `photo-gallery.php`

3. Create a new gallery and add at least 1 image, then generate a preview URL. This will also work the same against any published gallery.
   * Add New Gallery from `/wp-admin/admin.php?page=galleries_bwg` 
   * Enter a title in 'Gallery Title'
   * Click 'Add images'
   * Click 'Upload Files'
   * Add an image
   * Click 'Add selected image to gallery'
   * Click 'Update'
   * Click 'preview'
   * Generate a preview URL e.g. `/bwg_gallery/test-gallery/?bwg-preview-type=image_browser#bwg1`  (or publish a gallery live)

### Exploitation

1. As an unauthenticated user visit the URL of the gallery noted from set up above e.g. `/bwg_gallery/test-gallery/?bwg-preview-type=image_browser`
2. Click on an image from the gallery and click on the comment icon (speech-bubble) to open the comments & form
3. Enter anything valid for the name/email and the following payload for the comment and submit the form: <img src=x onerror=alert(/XSS/)>

4. Observe JS execution immediately as this user, and by any other user subsequently visiting the image where the comment has been added.

## Additional Impact

The plugin allows comments to be saved even if they do not have the premium version. This means that an attacker could mass inject payloads into the any user of this plugin in the hopes that some of them will eventually upgrade to the paid version. When they upgrade the saved payloads will be served on any of their existing galleries, increasing the impact of this finding. This can be tested by flipping the boolean as discussed earlier in the report.

```
POST /wp-admin/admin-ajax.php?action=GalleryBox&image_id=1&gallery_id=1&tag=0&theme_id=1&shortcode_id=1 HTTP/1.1
Host: wordpress.local:1337

ajax_task=add_comment&comment_name=test&comment_email=test%40test.com&comment_text=%3Cimg+src%3Dx+onerror%3Dalert(/XSS/)%3E&popup_enable_captcha=&privacy_policy=0&comment_image_id=1&comment_moderation=
```