GRAND FlaGallery <= 6.1.2 – Admin+ Stored Cross-Site Scripting | CVE 2021-24903 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its gallery settings, which could allow high privilege users to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Create/edit a gallery and put the following payload in the "Back Button Text" setting, then publish it: "><script>alert(/XSS/)</script>

The XSS will be triggered when accessing the gallery setting again, as well as in page/s where the Gallery is embed

Affects Plugins

flash-album-gallery

No known fix

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Tyler Miller

Submitter

Tyler Miller

Submitter twitter

Verified

Yes

WPVDB ID

ad67e45e-254a-46ce-a243-bfc86839446e

Timeline

Publicly Published

2021-11-12 (about 2 years ago)

Added

2022-01-26 (about 2 years ago)

Last Updated

2022-04-13 (about 2 years ago)

Other

Published

Title

Published

2023-12-26

Title

TheGem < 5.9.2 - Reflected Cross-Site Scripting

Published

2023-06-15

Title

NextGen GalleryView <= 0.5.5 - Reflected XSS

Published

2023-02-03

Title

Podlove Podcast Publisher < 3.8.3 - Admin+ Stored XSS

Published

2024-05-09

Title

HTML5 Audio Player- Best WordPress Audio Player Plugin < 2.2.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

Published

2014-04-25

Title

Shortcode Ninja <= 1.4 - Unauthenticated Reflected XSS