CVE-2026-9134

Vulnerability

In the FooGallery plugin for WordPress, versions up to and including 3.1.31, the foogallery_sanitize_javascript() function employs an incomplete blacklist that blocks only a subset of JavaScript event handlers (such as onmouseover, onmouseout, onpointerenter, onclick, onload, onchange, onerror), while allowing others like onmouseenter. Additionally, the foogallery_build_container_attributes_safe() function fails to escape the attribute key when generating the gallery container HTML. This flaw permits authenticated attackers with contributor-level access or above to inject arbitrary web scripts via the custom_attribute_key shortcode parameter [1][2][3][4].

Exploitation

An attacker must have at least a contributor-level account on the WordPress site. The attacker then inserts a FooGallery shortcode with a crafted custom_attribute_key that includes an allowed but dangerous event attribute (e.g., onmouseenter) containing a JavaScript payload. When the gallery is rendered, the attribute is inserted into the HTML without proper escaping, resulting in the script being stored in the page. Any user who visits the affected page will trigger the code when their browser processes the event (e.g., mouse entering the gallery container) [1][2][4].

Impact

A successful exploit allows the attacker to execute arbitrary JavaScript in the context of any user's browser that accesses the compromised page. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack does not require any special user interaction beyond normal page navigation [1][4].

Mitigation

The vulnerability is fixed in FooGallery version 3.1.32, which was released on an undisclosed date. The fix updates the foogallery_sanitize_javascript() function to properly escape or block all event handlers and ensures attribute keys are sanitized before output [1]. Administrators should update the plugin to version 3.1.32 or later immediately. No workarounds are provided for unsupported versions.