CVE-2019-16118
Description
Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/controllers/Options.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in 10Web Photo Gallery plugin for WordPress before 1.5.35 via admin/controllers/Options.php allows admin-level script injection.
Vulnerability
The Photo Gallery (10Web Photo Gallery) plugin for WordPress before version 1.5.35 contains a cross-site scripting (XSS) vulnerability in admin/controllers/Options.php. The plugin fails to properly sanitize user-supplied input when saving options, allowing arbitrary JavaScript to be injected [1][2][3].
Exploitation
An attacker must have administrative access to the WordPress site. The attacker can craft malicious input in the plugin's options fields and save them. When the administrator subsequently views the options page, the injected script executes in the context of the admin session [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the admin's browser, potentially leading to session hijacking, privilege escalation, or defacement of the admin panel [2].
Mitigation
The vulnerability is fixed in version 1.5.35 of the plugin [1]. Users should update to 1.5.35 or later. No workarounds are known.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/photo-gallerydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- packetstormsecurity.com/files/154433/WordPress-Photo-Gallery-1.5.34-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Options.phpmitrex_refsource_MISC
- plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/js/bwg.jsmitrex_refsource_MISC
- wordpress.org/plugins/photo-gallery/mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/9872mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.