The plugin did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue
{"id": "WPEX-ID:57823DCB-2149-47F7-AAE2-D9F04DCE851A", "type": "wpexploit", "bulletinFamily": "exploit", "title": "Photo Gallery < 1.5.75 - Stored Cross-Site Scripting via Uploaded SVG", "description": "The plugin did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue\n", "published": "2021-07-18T00:00:00", "modified": "2021-07-19T08:02:32", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {}, "cvss3": {}, "href": "", "reporter": "wpvulndb", "references": [], "cvelist": ["CVE-2021-24362"], "immutableFields": [], "lastseen": "2021-09-14T23:39:45", "viewCount": 48, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24362"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:57823DCB-2149-47F7-AAE2-D9F04DCE851A"]}], "rev": 4}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-24362"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:57823DCB-2149-47F7-AAE2-D9F04DCE851A"]}]}, "exploitation": null, "vulnersScore": 0.3}, "sourceData": "When editing or creating a gallery, Click 'Add Images' then 'Upload Files' and upload an SVG with JavaScript code, then access the uploaded image from the uploads folder directly, e.g https://example.com/wp-content/uploads/photo-gallery/xss.svg\r\n\r\nExample of malicious SVG:\r\n<?xml version=\"1.0\" standalone=\"no\"?> <!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\r\n<svg version=\"1.1\" baseProfile=\"full\" xmlns=\"http://www.w3.org/2000/svg\">\r\n <polygon id=\"triangle\" points=\"0,0 0,50 50,0\" fill=\"#009900\" stroke=\"#004400\"/>\r\n <script type=\"text/javascript\">alert(document.domain);</script>\r\n</svg>\r\n", "generation": 0, "_state": {"dependencies": 1646323131, "score": 1659846169}, "_internal": {"score_hash": "77615e08633ff1c4a8f3b9cde81b3412"}}
{"cve": [{"lastseen": "2022-03-23T14:53:08", "description": "The Photo Gallery by 10Web \u00e2\u20ac\u201c Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-08-16T11:15:00", "type": "cve", "title": "CVE-2021-24362", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24362"], "modified": "2021-08-23T16:43:00", "cpe": [], "id": "CVE-2021-24362", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24362", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "wpvulndb": [{"lastseen": "2021-09-14T23:39:45", "description": "The plugin did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue\n\n### PoC\n\nWhen editing or creating a gallery, Click 'Add Images' then 'Upload Files' and upload an SVG with JavaScript code, then access the uploaded image from the uploads folder directly, e.g https://example.com/wp-content/uploads/photo-gallery/xss.svg Example of malicious SVG: \n", "cvss3": {}, "published": "2021-07-18T00:00:00", "type": "wpvulndb", "title": "Photo Gallery < 1.5.75 - Stored Cross-Site Scripting via Uploaded SVG", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-24362"], "modified": "2021-07-19T08:02:32", "id": "WPVDB-ID:57823DCB-2149-47F7-AAE2-D9F04DCE851A", "href": "https://wpscan.com/vulnerability/57823dcb-2149-47f7-aae2-d9f04dce851a", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
Photo Gallery < 1.5.75 - Stored Cross-Site Scripting via Uploaded SVG
