Skip to main content

FooGallery WordPress Plugin CVE-2026-9134

| EUVDEUVD-2026-36645 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-13 Wordfence GHSA-fq2x-2hqx-f6x7
6.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires victim page-visit for payload execution (UI:R); contributor auth confirmed (PR:L); scope change affects victim browsers (S:C); no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 13, 2026 - 07:13 vuln.today
CVE Published
Jun 13, 2026 - 06:47 cve.org
MEDIUM 6.4

DescriptionNVD

The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in versions up to, and including, 3.1.31 This is due to an incomplete JavaScript event handler blacklist in the foogallery_sanitize_javascript() function, which blocks only a subset of HTML event attributes (onmouseover, onmouseout, onpointerenter, onclick, onload, onchange, onerror) while permitting others such as 'onmouseenter', combined with the failure to escape the attribute key when building the gallery container HTML in foogallery_build_container_attributes_safe(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in FooGallery WordPress plugin versions through 3.1.31 allows authenticated contributors to inject persistent JavaScript via the 'custom_attribute_key' shortcode parameter, executing against any visitor who views an affected page. The flaw combines a bypass-prone event-handler blacklist in foogallery_sanitize_javascript() - which omits handlers like 'onmouseenter' - with unescaped attribute key output in foogallery_build_container_attributes_safe(), together enabling DOM-level script injection. A patched version 3.1.32 is confirmed released; no public exploit code or CISA KEV listing has been identified at time of analysis.

Technical ContextAI

The affected product is the FooGallery (Photo Gallery by FooGallery - Responsive Image Gallery, Masonry Gallery & Carousel) WordPress plugin, per CPE cpe:2.3:a:fooplugins:photo_gallery_by_foogallery_:_responsive_image_gallery,_masonry_gallery_&_carousel:*:*:*:*:*:*:*:*. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), manifesting as a dual failure in two distinct functions. First, foogallery_sanitize_javascript() at functions.php#L480 uses a substring blocklist that covers only seven specific HTML event attributes - onmouseover, onmouseout, onpointerenter, onclick, onload, onchange, and onerror - leaving the broader HTML5 event attribute surface (e.g., onmouseenter, onfocus, onanimationend, onpointerdown) unblocked. Blocklist-based approaches for sanitizing event handlers are inherently fragile and are flagged as an anti-pattern in OWASP XSS prevention guidance precisely for this reason. Second, foogallery_build_container_attributes_safe() at functions.php#L1516 writes the caller-supplied attribute key directly into the gallery container element's HTML without HTML-encoding, so a bypassed event handler name is rendered as a live, functional DOM attribute. The advanced settings integration path at class-gallery-advanced-settings.php#L148 is also implicated in how the shortcode parameter reaches these functions.

RemediationAI

Vendor-released patch: FooGallery 3.1.32. Update via the WordPress admin dashboard under Plugins > Updates or apply changeset 3542524 directly, confirmed at https://plugins.trac.wordpress.org/changeset/3542524/foogallery/tags/3.1.32/includes/functions.php. If immediate patching is not feasible, restrict contributor-level and above WordPress role assignments to explicitly trusted users; this reduces the attacker pool but does not eliminate the vulnerability and may block legitimate editorial workflows. As an additional interim measure, a WordPress capability management plugin (e.g., Members, User Role Editor) can be used to revoke the ability for contributors to use gallery shortcodes in post content; this trade-off prevents gallery embedding for that role until the patch is applied. There is no server-side WAF rule that can reliably block this class of bypass without also blocking legitimate gallery shortcode use, given the similarity between valid and malicious attribute key values.

Share

CVE-2026-9134 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy