WordPress Plugin Vulnerabilities

Image Gallery - Grid Gallery < 1.1.6 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

Create a gallery with the "Gallery Theme" set to "Gallery Image 2", add an image and put the following payload in the "Image Description" field: <svg/onload=alert(/XSS/)>
Save the image and gallery and view a post/page where the gallery is embed to trigger the XSS

The "Image Title" field is also vulnerable, with a payload such as "><img src onerror=alert(/XSS/)> (fixed in 1.1.5)

Affects Plugins

Plugin icon
gallery-image-gallery-photo
Fixed in 1.1.6

References

CVE
CVE-2022-1327

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Fayçal CHENA
Submitter
Fayçal CHENA
Submitter website
https://fafachena.com/
Submitter twitter
faycal_chena
Verified
Yes
WPVDB ID
6b71eb38-0a4a-49d1-96bc-84bbe675be1e

Timeline

Publicly Published
2022-06-03 (about 1 years ago)
Added
2022-06-03 (about 1 years ago)
Last Updated
2023-03-06 (about 1 years ago)

Other

Published
Title
Published
2024-03-29
Title
Add Shortcodes Actions And Filters <= 2.10 - Reflected Cross-Site Scripting
Published
2023-05-31
Title
WordPress Social Login <= 3.0.4 - Admin+ Stored XSS
Published
2020-05-11
Title
ImageBoss < 3.0.6 - Admin+ Stored Cross-Site Scripting
Published
2021-06-03
Title
Quiz And Survey Master < 7.1.19 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2023-10-02
Title
Onclick Show Popup < 6.6 - Admin+ Stored XSS