Gallery Images Ape is a WordPress plugin for displaying pictures,One of the stored XSS vulnerabilities is as follows:
Gallery Images Ape是一款用于展示图片的wordpress插件,其中的一处存储型xss漏洞复现如下:

1.Create a new gallery,upload a picture and insert payload at the title of the picture
1、创建一个相册,上传一张图片并在图片的标题处插入payload:

1
"><script>alert(123)</script><"

and add pictures to the gallery
并把图片添加到相册中

2.Publish the gallery
2、将该相册发布

3.You can see the newly released gallery in Overview
3、在Overview中可以看到刚发布的相册

4.Copy the Shortcode corresponding to the gallery,add Shortcode to our article,then publish the article.
4、复制该相册对应的Shortcode,将Shortcode添加到我们的文章中,并将文章发表

5.Visit the blog Homepage,the pop-up window pops up successfully.Payload is executed.
5、访问博客主页,弹窗成功弹出,payload被执行


Vulnerability details:


The back-end directly saves the data from the client end to the database without filtering and escaping any sensitive characters.
后台插件在接收前端传过来的数据时没有进行任何敏感字符的过滤和转义就直接保存到数据库中

When the client requests the data, the back-end operation can be known from “classGallery. php” is to extract the data directly from the database and stitch it together.
The only filtering only occurs in the “getCategories” function, which escape sensitive HTML attributes in gallery title and icon information by calling the “esc_attr” function.In addition, there is no any filtering of other data, and the data is returned directly to the client, so it leads to stored xss vulnerability.
而客户端请求这些数据时,后端插件的操作从“classGallery.php”中可知直接将数据从数据库中取出并进行拼接。而唯一的过滤只出现在“getCategories”函数中用调用“esc_attr”函数对相册title和icon信息中的敏感字符进行HTML实体编码,而没有对其他数据进行任何过滤,就直接将数据返回给客户端,从而导致存储型xss的产生