CVE-2020-9003

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Modula Image Gallery plugin for WordPress, affecting versions before 2.2.5 [1][2]. The flaw allows an authenticated user with low privileges (e.g., subscriber or contributor) to inject arbitrary JavaScript code into gallery fields, which is then stored and executed when other users view the gallery.

Exploitation

An attacker must have a WordPress account with at least the ability to create or edit galleries (typically Contributor or Author role). The attacker crafts a malicious payload (e.g., ``) and inserts it into an unsuspecting input field (such as image caption or description) within the gallery editor. When an administrator or other user visits the affected gallery page, the injected script executes in their browser.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's session. This can result in session hijacking, defacement, theft of cookies or authentication tokens, and potentially privilege escalation if the victim is an administrator. The attack is stored, meaning the payload persists until removed.

Mitigation

The vulnerability is fixed in version 2.2.5 of the Modula Image Gallery plugin [1][2]. Users should update to at least this version immediately. No workarounds are documented; the only mitigation is to apply the patch. The plugin is actively maintained, and the latest version (2.14.28 as of the reference) includes the fix.