Photo Gallery < 1.8.3 - Stored XSS via CSRF

The plugin does not validate and escape some parameters before outputting them back in in JS code later on in another page, which could lead to Stored XSS issue when an attacker makes a logged in admin open a malicious URL or page under their control. Note: The XSS will only trigger for the attacked user and be reset when they logout

PoC

Make a logged in admin open one of the below URL: https://example.com/wp-admin/admin-ajax.php?action=addMusic&amp;sort;_by=“;alert(/XSS/);” https://example.com/wp-admin/admin-ajax.php?action=addMusic&amp;sort;_by=size&amp;sort;_order=“;alert(/XSS-order/);” Even though the request above will result in a “Sorry, your nonce did not verify.” error, the XSS payload will trigger when an admin attempts to add a new image to a gallery.