WordPress Filter Gallery Plugin < 0.1.6 – Admin+ Stored XSS | CVE 2022-4142

Description

The plugin does not properly escape the filters passed in the ufg_gallery_filters ajax action before outputting them on the page, allowing a high privileged user such as an administrator to inject HTML or javascript to the plugin settings page, even when the unfiltered_html capability is disabled.

Proof of Concept

Create a new filter with the name "<svg onload('alert(123);')>", save it and reload the page.

Affects Plugins

filter-gallery

Fixed in 0.1.6

References

CVE

CVE-2022-4142

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.4 (low)

Miscellaneous

Original Researcher

iohex

Submitter

iohex

Submitter twitter

iohehe

Verified

Yes

WPVDB ID

8c2adadd-0684-49a8-9185-0c7d9581aef1

Timeline

Publicly Published

2022-12-06 (about 1 years ago)

Added

2022-12-06 (about 1 years ago)

Last Updated

2022-12-06 (about 1 years ago)

Other

Published

Title

Published

2017-05-31

Title

WP No External Links <= 3.5.18 – Authenticated Cross-Site Scripting (XSS)

Published

2021-02-08

Title

WP Amour < 1.5.7 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2024-03-07

Title

Premium Addons PRO < 2.9.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multi Scroll Widget

Published

2023-04-20

Title

WPJAM Basic < 6.2.1.1 - Contributor+ Stored XSS

Published

2023-11-14

Title

Namaste! LMS < 2.6.1.2 - Reflected Cross-Site Scripting