The Photospace Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters saved via the update() function in versions up to, and including, 2.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
{"id": "CVE-2022-3991", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2022-3991", "description": "The Photospace Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters saved via the update() function in versions up to, and including, 2.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", "published": "2022-11-29T21:15:00", "modified": "2022-12-01T19:09:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3991", "reporter": "security@wordfence.com", "references": ["https://plugins.trac.wordpress.org/browser/photospace/trunk/photospace.php#L87", "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3991"], "cvelist": ["CVE-2022-3991"], "immutableFields": [], "lastseen": "2022-12-01T21:10:52", "viewCount": 17, "enchantments": {"dependencies": {"references": [{"type": "wpvulndb", "idList": ["WPVDB-ID:9601D04B-2807-40D5-9824-A3558B3F7C27"]}]}, "score": {"value": 5.1, "vector": "NONE"}, "twitter": {"counter": 7, "tweets": [{"link": "https://twitter.com/CVEnew/status/1597708307791331329", "text": "CVE-2022-3991 The Photospace Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters saved via the update() function in versions up to, and including, 2.3.5 due to insufficient input sanitization and o... https://t.co/sKbDgwB3Zn", "author": "CVEnew", "author_photo": "https://pbs.twimg.com/profile_images/1447927972393111557/PQRMlVvZ_400x400.jpg"}, {"link": "https://twitter.com/threatintelctr/status/1597703658858315776", "text": " NEW: CVE-2022-3991 The Photospace Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters saved via the update() function in versions up to, and including, 2.3.5 d... (click for more) https://t.co/YTWCw0AON3", "author": "threatintelctr", "author_photo": "https://pbs.twimg.com/profile_images/904224973987840000/dMy1x9Ho_400x400.jpg"}, {"link": "https://twitter.com/threatintelctr/status/1597711211562381312", "text": " NEW: CVE-2022-3991 The Photospace Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters saved via the update() function in versions up to, and including, 2.3.5 d... (click for more) https://t.co/YTWCw0SpEB", "author": "threatintelctr", "author_photo": "https://pbs.twimg.com/profile_images/904224973987840000/dMy1x9Ho_400x400.jpg"}, {"link": "https://twitter.com/vulnonym/status/1597760560883433474", "text": "Hi, I'm CVE-2022-3991. I was never good with numbers though, so you can call me Overland Prototherian\nhttps://t.co/XlNagKDMox", "author": "vulnonym", "author_photo": "https://pbs.twimg.com/profile_images/1235605772878438405/6p9IJVtn_400x400.jpg"}]}, "affected_software": {"major_version": [{"name": "photospace gallery project photospace gallery", "version": 2}]}, "vulnersScore": 5.1}, "_state": {"dependencies": 1670066695, "score": 1670066695, "twitter": 0, "affected_software_major_version": 1671611801}, "_internal": {"score_hash": "2716563cbd853efebeb5fee1f9500d61"}, "cna_cvss": {"cna": "Wordfence", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "score": 6.4}}}, "cpe": ["cpe:/a:photospace_gallery_project:photospace_gallery:2.3.5"], "cpe23": ["cpe:2.3:a:photospace_gallery_project:photospace_gallery:2.3.5:*:*:*:*:wordpress:*:*"], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "photospace_gallery_project:photospace_gallery", "version": "2.3.5", "operator": "le", "name": "photospace gallery project photospace gallery"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:photospace_gallery_project:photospace_gallery:2.3.5:*:*:*:*:wordpress:*:*", "versionEndIncluding": "2.3.5", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://plugins.trac.wordpress.org/browser/photospace/trunk/photospace.php#L87", "name": "https://plugins.trac.wordpress.org/browser/photospace/trunk/photospace.php#L87", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3991", "name": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3991", "refsource": "MISC", "tags": ["Third Party Advisory"]}]}
{"wpvulndb": [{"lastseen": "2022-12-02T02:17:09", "description": "The plugin does not sanitise and escape some parameters, which could allow users with a role as low as subscriber to perform Stored Cross-Site Scripting attacks\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-11-14T00:00:00", "type": "wpvulndb", "title": "Photospace Gallery <= 2.3.5 - Subscriber+ Stored Cross-Site Scripting", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-3991"], "modified": "2022-11-15T10:12:33", "id": "WPVDB-ID:9601D04B-2807-40D5-9824-A3558B3F7C27", "href": "https://wpscan.com/vulnerability/9601d04b-2807-40d5-9824-a3558b3f7c27", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "cnvd": [{"lastseen": "2022-12-09T11:23:22", "description": "WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin. WordPress Photospace Gallery plugin 2.3.5 and its previous versions are vulnerable to cross-site scripting, which stems from insufficient input cleanup and output escaping, and the settings parameters saved via the update() function are vulnerable to stored cross-site scripting. An authenticated attacker could use the vulnerability to inject cross-site code and launch an XSS attack.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-11-30T00:00:00", "type": "cnvd", "title": "WordPress Photospace Gallery plugin cross-site scripting vulnerability", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-3991"], "modified": "2022-12-09T00:00:00", "id": "CNVD-2022-86359", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-86359", "cvss": {"score": 0.0, "vector": "NONE"}}]}
CVE-2022-3991
