Photo Gallery By Foogallery
Monthly
Stored Cross-Site Scripting in FooGallery WordPress plugin versions through 3.1.31 allows authenticated contributors to inject persistent JavaScript via the 'custom_attribute_key' shortcode parameter, executing against any visitor who views an affected page. The flaw combines a bypass-prone event-handler blacklist in foogallery_sanitize_javascript() - which omits handlers like 'onmouseenter' - with unescaped attribute key output in foogallery_build_container_attributes_safe(), together enabling DOM-level script injection. A patched version 3.1.32 is confirmed released; no public exploit code or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in FooGallery WordPress plugin versions through 3.1.31 allows authenticated contributors to inject persistent JavaScript via the 'custom_attribute_key' shortcode parameter, executing against any visitor who views an affected page. The flaw combines a bypass-prone event-handler blacklist in foogallery_sanitize_javascript() - which omits handlers like 'onmouseenter' - with unescaped attribute key output in foogallery_build_container_attributes_safe(), together enabling DOM-level script injection. A patched version 3.1.32 is confirmed released; no public exploit code or CISA KEV listing has been identified at time of analysis.