Simple Photoswipe <= 0.1 – Admin+ Stored XSS | CVE 2024-5473 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

1) As admin, go to plugin settings (wp-admin/options-general.php?page=admin-options.php)
2) In either "Bar Size" or "Image Counter Separator" add the payload "/><script>alert(1)</script>
3) Save and reload the page to see the popup

---

As user:
Requisite: a post or page with the gallery widget
1) Visit any post that contains the gallery widget
2) The malicious payload above will get reflected inside the page source code.

Affects Plugins

simple-photoswipe

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Felipe Caon

Submitter

caon

Submitter website

https://caon.io

Verified

Yes

WPVDB ID

9c70cfc4-5759-469a-a6a3-510c405bd28a

Timeline

Publicly Published

2024-06-05 (about 25 days ago)

Added

2024-06-05 (about 24 days ago)

Last Updated

2024-06-05 (about 24 days ago)

Other

Published

Title

Published

2023-08-28

Title

Sitekit < 1.5 - Contributor+ Stored XSS

Published

2024-05-06

Title

TT Custom Post Type Creator <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-01-11

Title

Flexible Captcha <= 4.1 - Contributor+ Stored XSS

Published

2023-08-24

Title

FV Flowplayer Video Player < 7.5.39.7212 - Insufficient Input Validation to Unauthenticated Stored Cross-Site Scripting and Arbitrary Usermeta Update

Published

2015-04-22

Title

Option Tree < 2.5.4 - XSS