CVE-2021-31693

Vulnerability

The 10Web Photo Gallery plugin for WordPress through version 1.5.68 is vulnerable to stored cross-site scripting (XSS) [1]. The issue exists in the handling of the parameters album_gallery_id_0, bwg_album_search_0, and type_0 passed via bwg_frontend_data. An attacker can inject arbitrary JavaScript code that is stored and later executed in the context of an administrator's browser session when they view the affected gallery pages. Versions 1.5.68 and earlier are affected.

Exploitation

An attacker does not need authentication; they can submit a crafted request to the vulnerable WordPress instance containing malicious payloads in the affected parameters [1]. The injected script is stored on the server. When a site administrator visits the gallery management page or a gallery page that renders the stored data, the malicious script executes. The attack requires no special network position beyond network access to the site.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of an authenticated administrator [1]. This can result in theft of session cookies, defacement of the site, or administrative account takeover, leading to full compromise of the WordPress installation.

Mitigation

The vendor released version 1.5.69 which addresses this issue [1]. Users should update to 1.5.69 or later immediately. No workaround is provided for versions 1.5.68 and earlier. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog at the time of writing.