Envira Gallery < 1.8.15 – Author+ Stored XSS | CVE 2024-3899 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its image settings, which could allow users with post-writing privilege such as Author to perform Cross-Site Scripting attacks.

Proof of Concept

Edit an Image from a Gallery (using the blue "Modify Image" overlay button when editing a Gallery) and add the following payload to the "Title" field: &lt;img src=x onerror=alert(1)&gt;

The XSS will be triggered on page/post where the gallery is embed (for example via the related shortcode)

Affects Plugins

envira-gallery-lite

Fixed in 1.8.15

References

CVE

URL

https://research.cleantalk.org/cve-2024-3899/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

e3afadda-4d9a-4a51-b744-10de7d8d8578

Timeline

Publicly Published

2024-08-20 (about 1 year ago)

Added

2024-08-20 (about 1 year ago)

Last Updated

2024-09-24 (about 1 year ago)

Other

Published

Title

Published

2023-03-03

Title

FareHarbor for WordPress < 3.6.7 - Admin+ Stored XSS

Published

2022-11-04

Title

WP Admin UI Customize < 1.5.13 - Admin+ Stored XSS

Published

2022-10-28

Title

Slideshow SE < 2.5.6 - Author+ Stored XSS

Published

2025-02-24

Title

List Related Attachments <= 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-10-02

Title

Email posts to subscribers <= 6.2 - Admin+ Stored XSS