WordPress Plugin Vulnerabilities

Grid Gallery < 1.2.5 - Authenticated Stored Cross Site Scripting (XSS)

Description

The plugin does not properly sanitize the title field for image galleries when adding them via the admin dashboard, resulting in an authenticated Stored Cross-Site Scripting vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
new-grid-gallery
Fixed in 1.2.5

References

CVE
CVE-2021-24529

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Amal E Thamban
Submitter
Amal E Thamban
Submitter twitter
Amalthamban
Verified
Yes
WPVDB ID
8953d931-19f9-4b73-991c-9c48db1af8b5

Timeline

Publicly Published
2021-07-21 (about 4 years ago)
Added
2021-07-21 (about 4 years ago)
Last Updated
2021-08-10 (about 4 years ago)

Other

Published
Title
Published
2025-06-23
Title
MagOne <= 8.5 - Reflected Cross-Site Scripting
Published
2024-07-19
Title
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor < 1.26.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via File Upload
Published
2014-08-01
Title
fGallery_Plus - fim_rss.php album Parameter Reflected XSS
Published
2023-08-28
Title
Popup Builder < 4.2.0 - Admin+ Stored Cross-Site Scripting
Published
2021-08-13
Title
Skaut bazar < 1.3.3 - Reflected Cross-Site Scripting