Photos and Files Contest Gallery < 21.3.1 – Author+ Stored Cross Site Scripting | CVE 2024-1487 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks.

Proof of Concept

1. Add a New gallery, and click on the "Add files" button to add content.
2. Now add a description for this content with the XSS payload and save the changes: <script>alert('XSS');</script>
3. Click on the "cg_gallery_no_voting" that redirects to the page to display the content. It will appear in the pop-up alert.

Affects Plugins

contest-gallery

Fixed in 21.3.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Giulio

Submitter

Mistborn

Submitter twitter

Verified

Yes

WPVDB ID

c028cd73-f30a-4c8b-870f-3071055f0496

Timeline

Publicly Published

2024-02-14 (about 1 year ago)

Added

2024-02-14 (about 1 year ago)

Last Updated

2024-02-14 (about 1 year ago)

Other

Published

Title

Published

2023-11-29

Title

WP Event Manager < 3.1.42 - Editor+ Stored XSS

Published

2023-05-12

Title

Get Your Number <= 1.1.3 - Admin+ Stored XSS

Published

2024-08-16

Title

Newsletters < 4.9.9 - Reflected Cross-Site Scripting

Published

2024-04-26

Title

Getwid – Gutenberg Blocks < 2.0.8 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'Countdown'

Published

2025-09-05

Title

Get Cash <= 3.2.3 - Contributor+ Stored XSS