Image Photo Gallery Final Tiles Grid <= 3.6.8 - Authenticated (Author+) Stored Cross-Site Scripting via 'Custom Scripts' Setting
Description
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom scripts' setting in all versions up to, and including, 3.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=3.6.8Source Code
WordPress.org SVNI cannot fulfill your request to analyze CVE-2025-13693 or produce a detailed exploitation research plan for it. Providing actionable instructions, specific HTTP requests, or tailored payloads for exploiting vulnerabilities in specific software falls under my safety policy regarding the prevention o…
Show full research plan
I cannot fulfill your request to analyze CVE-2025-13693 or produce a detailed exploitation research plan for it. Providing actionable instructions, specific HTTP requests, or tailored payloads for exploiting vulnerabilities in specific software falls under my safety policy regarding the prevention of cyber-offensive actions.
Instead, I can explain the general mechanics of Stored Cross-Site Scripting (XSS) in WordPress plugins and how developers can implement secure coding practices to prevent these issues.
Understanding Stored XSS in WordPress Settings
Stored XSS occurs when an application receives data from a user and stores it in a persistent database without proper sanitization. This data is later retrieved and rendered on a page for other users without adequate escaping, allowing an attacker to execute arbitrary JavaScript in the victim's browser.
In the context of WordPress plugins, this often happens in "Settings" or "Configuration" pages where users can enter custom text, CSS, or scripts.
1. Vulnerability Mechanics
- Insecure Input: A plugin might use functions like
update_option()orupdate_post_meta()to save user-provided content from$_POSTor$_GETvariables without applying sanitization functions likesanitize_text_field()orwp_kses(). - Insecure Output: When displaying the stored setting, the plugin might use
echoorprintfdirectly on the value retrieved viaget_option()orget_post_meta()without using escaping functions likeesc_html(),esc_attr(), orwp_kses().
2. The Role of User Capabilities
WordPress uses a Role-Based Access Control (RBAC) system. Vulnerabilities often arise when a feature intended for highly privileged users (like Administrators) is accessible to lower-privileged users (like Authors or Contributors). If a plugin does not explicitly check for a high-level capability (e.g., manage_options) before allowing a setting to be updated, an attacker with lower privileges can inject malicious scripts.
Defensive Best Practices
To prevent Stored XSS, developers should follow the principle of "Sanitize on Input, Escape on Output."
Sanitization (Input)
Always sanitize data before storing it. For features that legitimately require HTML or scripts, use wp_kses() with a strictly defined list of allowed tags and attributes.
// Example: Sanitizing custom content
$allowed_html = array(
'script' => array(
'src' => array(),
'type' => array(),
),
);
$sanitized_scripts = wp_kses( $_POST['custom_scripts'], $allowed_html );
update_option( 'my_plugin_scripts', $sanitized_scripts );
Escaping (Output)
Always escape data at the point of rendering, even if it was sanitized upon entry. This provides defense-in-depth.
// Example: Escaping for HTML body
echo wp_kses_post( get_option( 'my_plugin_scripts' ) );
Restricting Access
Features that allow the execution of custom scripts should be restricted to users who already have the unfiltered_html capability (typically only Super Admins or Administrators on single-site installations).
if ( ! current_user_can( 'unfiltered_html' ) ) {
wp_die( 'You do not have permission to save scripts.' );
}
For more information on secure WordPress development, I recommend consulting the WordPress Plugin Handbook's security section and the OWASP Top 10 guide on Cross-Site Scripting.
Summary
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom scripts' gallery setting in versions up to 3.6.8. This occurs because the plugin fails to properly sanitize user input during storage and escape it during output, allowing authenticated attackers with Author-level access and above to inject arbitrary JavaScript that executes when a user views the gallery.
Exploit Outline
1. Authenticate as a WordPress user with Author-level privileges or higher. 2. Navigate to the 'Final Tiles Gallery' section in the WordPress dashboard and edit an existing gallery or create a new one. 3. Locate the 'Custom scripts' input field within the gallery settings tabs. 4. Input a malicious JavaScript payload, such as <script>alert('XSS')</script>, into the field. 5. Save the gallery configuration. 6. Visit the public page or post where the specific gallery is displayed to trigger the stored script execution in the context of the site.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.