Stored Cross-Site Scripting Vulnerability Patched in a WordPress Photo Gallery Plugin

WordFence - 

On November 11, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Photoswipe Masonry Gallery”, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to inject malicious JavaScript that executes whenever a site administrator accesses the PhotoSwipe Options page or a user accesses a page with a gallery created by the plugin.

All Wordfence users, including users of our Free, Premium, Care, and Response products are protected from exploits targeting this vulnerability thanks to the Wordfence Firewall’s built-in Cross-Site Scripting (XSS) protection.

We attempted to reach out to the developer day on November 11, 2021, the same day we discovered the vulnerability. We never received a response after a couple of follow-ups so we sent the full details to the plugins team on November 20, 2021. The plugin was fully patched on January 14, 2022.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Photoswipe Masonry Gallery”, which is version 1.2.18 at the time of this publication.

Description: Authenticated Stored Cross-Site Scripting
Affected Plugin: Photoswipe Masonry Gallery
Plugin Slug: photoswipe-masonry
Plugin Developer: Web Design

Read More: