CVE-2019-16117

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the 10Web Photo Gallery plugin (photo-gallery) for WordPress in versions prior to 1.5.35. The issue resides in admin/models/Galleries.php, where the alt parameter (image alt text) is not properly sanitized or escaped before being returned to the administrative panel. Specifically, the plugin uses WDWLibrary::spider_replace4byte($alt) and later WDWLibrary::escape('', $row->alt) which fails to prevent execution of injected HTML or JavaScript in the admin context [1][2].

Exploitation

An authenticated attacker with access to the WordPress admin panel (at minimum a user role capable of editing galleries, typically Administrator) can inject a malicious payload into the alt field of an image within a gallery. By simply saving the gallery, the crafted alt text is stored and rendered unsafely in the gallery management interface. When other admin users view or manage the gallery, the injected script executes in their browser session [2][3].

Impact

Successful exploitation leads to arbitrary JavaScript execution within the context of the WordPress admin panel. Attackers could hijack administrative sessions, steal cookies or nonces, modify plugin settings, create new privileged users, or upload malicious files, effectively achieving full compromise of the WordPress site [3].

Mitigation

The issue is fixed in version 1.5.35 of the plugin. Users should update to at least this version immediately. No workaround is available, as the vulnerability stems from core input handling in the admin gallery editor. The plugin is actively maintained and no EOL notice exists.