WordPress Plugin Vulnerabilities

Gallery by BestWebSoft < 4.7.0 - Author+ Stored Cross-Site Scripting

Description

The plugin does not perform proper sanitization of gallery information, leading to a Stored Cross-Site Scription vulnerability. The attacker must have at least the privileges of the Author role.

Proof of Concept

1. Go to Galleries > Add New.
2. Click "Add Media" and choose or upload an image.
3. When publishing (or updating) the Gallery, intercept the request and change the POST parameter with name `gllr_image_text%5B13%5D` (note the `13` is an ID and will be different in each case). Set the value to `" onload="alert(/XSS/)" e="`.
4. Load the Gallery on the frontend and see the alert.

The XSS can also be attained with the same payload in the `gllr_image_alt_tag%5B13%5D` parameter.

Affects Plugins

Plugin icon
gallery-plugin
Fixed in 4.7.0

References

CVE
CVE-2023-0764

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
d48c6c50-3734-4191-9833-0d9b09b1bd8a

Timeline

Publicly Published
2023-03-27 (about 1 years ago)
Added
2023-03-27 (about 1 years ago)
Last Updated
2023-03-27 (about 1 years ago)

Other

Published
Title
Published
2023-09-25
Title
WoodMart < 7.2.5 - Reflected XSS
Published
2023-04-25
Title
Shield Security < 17.0.18 - Unauthenticated Stored XSS
Published
2016-08-03
Title
WordPress Landing Pages <= 2.2.4 - Reflected Cross-Site Scripting (XSS)
Published
2022-06-14
Title
WooCommerce PDF Invoices & Packing Slips < 2.15.0 - Reflected Cross-Site Scripting
Published
2023-04-06
Title
Easy Sign Up <= 3.4.1 - Contributor+ Stored XSS