WordPress Plugin Vulnerabilities

Robo Gallery < 3.2.18 - Author+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting idue to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
robo-gallery
Fixed in 3.2.18

References

CVE
CVE-2024-22295
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/02073716-4f6a-4a51-933f-c5ab8dfbc08c

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Bryan Satyamulya
Verified
No
WPVDB ID
521987b6-f0dc-4510-8ad0-f9af338069bd

Timeline

Publicly Published
2024-01-17 (about 2 years ago)
Added
2024-01-24 (about 2 years ago)
Last Updated
2024-01-24 (about 2 years ago)

Other

Published
Title
Published
2024-04-16
Title
HT Mega < 2.4.7 - Contributor+ Stored XSS via Lightbox Widget
Published
2024-03-15
Title
GiveWP < 3.4.0 - Reflected Cross-Site Scripting
Published
2024-04-18
Title
Ungallery <= 2.2.4 - Stored XSS via CSRF
Published
2024-04-09
Title
Bold Page Builder < 4.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via "Price List" Element
Published
2025-02-25
Title
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates < 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting