Envira Gallery Image Photo Gallery Albums Video Gallery Slideshows More
Monthly
Stored Cross-Site Scripting in Envira Gallery Lite (WordPress plugin, versions ≤ 1.12.4) enables authenticated attackers with Author-level access to inject persistent arbitrary JavaScript into gallery pages via the REST API. The attack exploits a context mismatch: the `arrows` gallery parameter is omitted from `sanitize_config_values()` sanitization, and `gallery_init()` escapes it with `esc_attr()` — a function designed for HTML attribute contexts, not inline JavaScript — allowing JavaScript expression injection that executes in any visitor's browser. No public exploit or active exploitation has been identified; EPSS is 0.01% and CISA KEV status is absent, placing this firmly in the low-immediate-risk tier despite its persistent, cross-user impact.
Stored Cross-Site Scripting in Envira Gallery Lite (WordPress plugin, versions ≤ 1.12.4) enables authenticated attackers with Author-level access to inject persistent arbitrary JavaScript into gallery pages via the REST API. The attack exploits a context mismatch: the `arrows` gallery parameter is omitted from `sanitize_config_values()` sanitization, and `gallery_init()` escapes it with `esc_attr()` — a function designed for HTML attribute contexts, not inline JavaScript — allowing JavaScript expression injection that executes in any visitor's browser. No public exploit or active exploitation has been identified; EPSS is 0.01% and CISA KEV status is absent, placing this firmly in the low-immediate-risk tier despite its persistent, cross-user impact.