Gallery Images Ape is a WordPress plugin for displaying pictures,One of the stored XSS vulnerabilities is as follows:
Gallery Images Ape是一款用于展示图片的wordpress插件,其中的一处存储型xss漏洞复现如下:

1.Create a new gallery,upload a picture and insert payload at the title of the picture


and add pictures to the gallery

2.Publish the gallery

3.You can see the newly released gallery in Overview

4.Copy the Shortcode corresponding to the gallery,add Shortcode to our article,then publish the article.

5.Visit the blog Homepage,the pop-up window pops up successfully.Payload is executed.

Vulnerability details:

The back-end directly saves the data from the client end to the database without filtering and escaping any sensitive characters.

When the client requests the data, the back-end operation can be known from “classGallery. php” is to extract the data directly from the database and stitch it together.
The only filtering only occurs in the “getCategories” function, which escape sensitive HTML attributes in gallery title and icon information by calling the “esc_attr” function.In addition, there is no any filtering of other data, and the data is returned directly to the client, so it leads to stored xss vulnerability.