WordPress Plugin Vulnerabilities

GRAND Flash Album Gallery < 1.76 - Reflected Cross-Site Scripting via wp-admin/admin.php skin parameter

Description

The plugin did not sanitise or escape the skin parameter before putting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting

Proof of Concept

Affects Plugins

Plugin icon
flash-album-gallery
Fixed in 1.76

References

URL
https://packetstormsecurity.com/files/#112704/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Heine Pedersen, Torben Jensen
Verified
Yes
WPVDB ID
2c1c7691-b340-4ee0-b5c7-b29d06e93361

Timeline

Publicly Published
2014-08-01 (about 11 years ago)
Added
2014-08-01 (about 11 years ago)
Last Updated
2021-08-20 (about 4 years ago)

Other

Published
Title
Published
2015-02-21
Title
AdPlugg <= 1.1.33 - Stored Cross-Site Scripting (XSS)
Published
2024-10-01
Title
MC4WP: Mailchimp Top Bar < 1.6.1 - Reflected Cross-Site Scripting
Published
2024-12-02
Title
Campaign Monitor Forms by Optin Cat < 2.5.8 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
WP Lead Management 3.0.0 - Script Insertion Vulnerabilities
Published
2025-04-10
Title
Everest Forms < 3.1.2 - Reflected Cross-Site Scripting