With over 12 million downloads, Photo Gallery is one of the most popular WordPress plugins; users should be sure to upgrade to the latest version.
FortiGuard Labs disclosed a vulnerability today in the WordPress Photo Gallery plugin that could potentially be used to gather information from system administrators. With over 100,000 active installations and robust photo management and editing tools, this particular cross-site scripting vulnerability has significant security implications across the many retail, media, and other WordPress-driven websites that use it to display and host pictures.
This particular issue disclosed today is a cross-site scripting (XSS) vulnerability. XSS allows hackers to inject a client-side script into a web application, generally through an input dialog that doesn’t properly check text input for invalid characters or encoding. Wikipedia (yes, Wikipedia) gives a great example of how XSS might be used to steal sensitive information from users or even administrators.
In the case of the Photo Gallery Plugin, users must at least have edit rights on the site. Because those uploading photos will often have elevated privileges, malicious code could potentially be executed every time an administrator adds a photo to the gallery. As in the example above, the code could hijack an administrator’s browsing session and steal information from a variety of users.
FortiGuard Labs actually discovered the vulnerability in early February and notified the vendor immediately. The vendor, Web-Dorado, fixed the issue within a week with the release of version 1.2.13 of the plugin. Because it takes some time for new vulnerabilities to be added to the CVE (Common Vulnerabilities and Exposures, a centralized dictionary of known security issues like this), the actual public disclosure took a bit longer.
As this chart from the plugin page shows, there are still many sites actively using legacy versions of Photo Gallery. The latest stable version of Photo Gallery is 1.12.15, so users should check their installations and upgrade immediately if they haven’t already done so.