Envira Gallery Lite < 1.8.4.7 - Reflected Cross-Site Scripting

Vulnerability

The Envira Gallery Lite plugin for WordPress versions before 1.8.4.7 fails to escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an HTML attribute, as reported in [1]. This allows an attacker to inject arbitrary JavaScript code that executes in the context of the victim's browser when the page is rendered. The vulnerability is present in the plugin's handling of the request URI.

Exploitation

An attacker can craft a malicious URL containing a payload in the request URI. When a user with an old web browser (that does not properly encode characters in attributes) visits the crafted URL, the injected script executes. No authentication is required; the attacker only needs to trick the victim into clicking the link.

Impact

Successful exploitation leads to reflected cross-site scripting (XSS), allowing the attacker to execute arbitrary JavaScript in the victim's browser. This can result in session hijacking, defacement, or redirection to malicious sites. The impact is limited to the victim's browser session and the context of the WordPress site.

Mitigation

The issue is fixed in version 1.8.4.7 of the Envira Gallery Lite plugin. Users should update to this version or later. No workaround is provided. The vulnerability was publicly disclosed on 2022-10-10.