[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fETdlXWSpIOFMCDAwhMAygk8gN8oZ5ZiCJQ8i30vEARc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32356","robo-gallery-authenticated-contributor-stored-cross-site-scripting","Robo Gallery \u003C= 5.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","robo-gallery",null,"\u003C=5.1.2","5.1.3","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-14 00:00:00","2026-04-15 21:04:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0ccc60f3-122f-4959-b629-4b83d17083ad?source=api-prod",61,[22,23,24,25,26,27,28,29],"app\u002Fapp.php","app\u002Fclass.brand.php","app\u002Fclass.listing.php","app\u002Fclass.php","app\u002Fclass.utils.php","app\u002Fclass.view.php","app\u002Fextensions\u002Faccess\u002FAccessPasswordManager.php","app\u002Fextensions\u002Faccess\u002FGalleryPermalinkModifier.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-32356 (Robo Gallery Stored XSS)\n\n## 1. Vulnerability Summary\nThe **Robo Gallery** plugin for WordPress (versions \u003C= 5.1.2) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to sufficiently sanitize and escape gallery settings and metadata before rendering them in the admin dashboard and on the front-end via shortcodes. Specifically, an authenticated attacker with **Contributor-level** permissions or higher can inject malicious JavaScript into gallery configuration fields (stored as `postmeta`). When an administrator or any site visitor views a page containing the gallery, the script executes in their browser context.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Post Type**: `robo_gallery` (defined by the constant `ROBO_GALLERY_TYPE_POST`).\n- **Endpoint**: `wp-admin\u002Fpost.php` (Standard WordPress post\u002Fmeta update) or the plugin's AJAX save handlers.\n- **Vulnerable Parameters**: \n - `post_title` (if the plugin echoes it without escaping in the gallery view).\n - Meta fields prefixed with `robo_gallery_`, such as `robo_gallery_gallery_type_source` or image-specific metadata.\n- **Authentication**: Required (Contributor+). Contributors can create and edit their own `robo_gallery` posts.\n- **Preconditions**: The attacker must be able to create or edit a `robo_gallery` post and place its shortcode `[robo-gallery id=\"...\"]` on a page they can publish (or wait for an admin to view the gallery).\n\n## 3. Code Flow\n1. **Input**: A Contributor sends a POST request to `wp-admin\u002Fpost.php` with `action=editpost`, including a malicious payload in the title or `meta_input`.\n2. **Storage**: WordPress (or the plugin's `save_post` logic) saves the payload into the `wp_posts` table (for title) or `wp_postmeta` table (for settings).\n3. **Retrieval**: When the shortcode `[robo-gallery]` is processed, the plugin calls `get_post_meta` to retrieve gallery settings.\n4. **Sink**: The plugin uses `rbsGalleryClassView::render` (defined in `app\u002Fclass.view.php`) to extract these variables into a template.\n5. **Execution**: The template (e.g., in `extensions\u002FgalleryType\u002F`) echoes the retrieved meta values without using `esc_html()` or `esc_attr()`, leading to XSS.\n\n## 4. Nonce Acquisition Strategy\nTo save changes to a gallery, a Contributor needs a valid WordPress `_wpnonce`.\n1. **Identify Entry Point**: Contributors can access the \"Gallery\" menu in the WordPress dashboard.\n2. **Create Post**: Create a draft gallery to get a valid Post ID.\n3. **Navigate**: Use `browser_navigate` to `wp-admin\u002Fpost.php?post=[ID]&action=edit`.\n4. **Extract Nonce**: Use `browser_eval` to extract the `_wpnonce` from the hidden input field in the `#post` form.\n - JavaScript: `document.querySelector('input[name=\"_wpnonce\"]').value`\n5. **AJAX Nonce (Optional)**: If the plugin uses AJAX for settings, the nonce is often localized in a script. Based on `app\u002Fclass.listing.php`, look for the variable `robo-gallery-lising-js` or similar in `wp_localize_script`.\n\n## 5. Exploitation Strategy\n### Step 1: Create a Gallery Post\nUse WP-CLI to create a gallery post as a Contributor.\n```bash\nwp post create --post_type=robo_gallery --post_status=publish --post_title=\"Initial Gallery\" --post_author=[CONTRIBUTOR_ID]\n```\n\n### Step 2: Extract Nonce and Post ID\nNavigate to the edit page of the newly created gallery to capture the `_wpnonce`.\n\n### Step 3: Inject Payload via `editpost`\nSend a POST request to `wp-admin\u002Fpost.php` to update the gallery with XSS payloads.\n\n**HTTP Request:**\n- **URL**: `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fpost.php`\n- **Method**: `POST`\n- **Content-Type**: `application\u002Fx-www-form-urlencoded`\n- **Body**:\n```url\naction=editpost\n&post_ID=[GALLERY_ID]\n&_wpnonce=[EXTRACTED_NONCE]\n&post_title=Test Gallery \u003Cscript>alert('XSS_IN_TITLE')\u003C\u002Fscript>\n&meta_input[robo_gallery_gallery_type_source]=\u003Cscript>alert('XSS_IN_META')\u003C\u002Fscript>\n&meta_input[robo_gallery_gallery_type]=grid\n```\n\n### Step 4: Embed Gallery in a Public Page\nAs the Contributor, create a public page that renders this gallery.\n```bash\nwp post create --post_type=page --post_status=publish --post_title=\"Gallery Page\" --post_content='[robo-gallery id=\"[GALLERY_ID]\"]'\n```\n\n### Step 5: Trigger XSS\nNavigate to the URL of the \"Gallery Page\" as an unauthenticated user or an Admin to trigger the execution.\n\n## 6. Test Data Setup\n1. **Users**:\n - Contributor: `username: contributor`, `password: password123`\n2. **Plugin**: Robo Gallery (slug: `robo-gallery`) version 5.1.2 installed and active.\n3. **Content**: One `robo_gallery` post and one `page` post containing the shortcode.\n\n## 7. Expected Results\n- When the page containing the `[robo-gallery]` shortcode is loaded, a browser alert dialog should appear with the text `'XSS_IN_TITLE'` or `'XSS_IN_META'`.\n- Inspection of the page source should show the raw `\u003Cscript>` tags injected into the HTML without being encoded as `<script>`.\n\n## 8. Verification Steps\n1. **Verify Storage**: Use WP-CLI to check if the payload is in the database.\n ```bash\n wp post get [GALLERY_ID] --field=post_title\n wp post meta get [GALLERY_ID] robo_gallery_gallery_type_source\n ```\n2. **Verify Output**: Use `http_request` to fetch the public page and grep for the script.\n ```bash\n # Use the http_request tool and check for:\n # \u003Cscript>alert('XSS_IN_TITLE')\u003C\u002Fscript>\n ```\n\n## 9. Alternative Approaches\n- **Image Title XSS**: If the gallery settings are sanitized, try injecting the payload into the \"Title\" or \"Caption\" of an image attached to the gallery. This is often handled via the `wp_ajax_robo_gallery_save_image_data` (inferred) AJAX action.\n- **Admin Dashboard XSS**: Check if the payload executes in `wp-admin\u002Fedit.php?post_type=robo_gallery`. `app\u002Fclass.listing.php` suggests custom columns are added. If any of these columns (like a \"Gallery Preview\" or \"Description\") echo meta, the XSS will fire when an Admin views the gallery list.","The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 5.1.2. Authenticated attackers with Contributor-level access or higher can inject malicious JavaScript into gallery configuration fields or post titles, which then execute in the browser context of any user viewing the gallery.","\u002F\u002F app\u002Fclass.utils.php line 125\nstatic function getSourceGallery($galleryId = 0)\n{\n\n $fieldName = ROBO_GALLERY_PREFIX . 'gallery_type';\n $galleryType = '';\n\n if (isset($_GET[$fieldName]) && $_GET[$fieldName]) {\n $galleryType = preg_replace(\"\u002F[^A-Za-z-0-9]\u002F\", \"\", $_GET[$fieldName]);\n }\n\n if (!$galleryId) {\n $galleryId = self::getIdGallery();\n }\n\n if ($galleryId) {\n $galleryType_temp = get_post_meta($galleryId, $fieldName . '_source', true);\n if ($galleryType_temp) {\n $galleryType = $galleryType_temp;\n }\n\n }\n return $galleryType;\n}\n\n---\n\n\u002F\u002F app\u002Fclass.view.php line 30\npublic function render($template, array $vars = array())\n{\n $templatePath = $this->templatePath . $template . '.tpl.php';\n\n if (!file_exists($templatePath)) {\n throw new Exception( \"Could not find template. Template: {$template}\");\n }\n extract($vars);\n require $templatePath;\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frobo-gallery\u002F5.1.2\u002Fapp\u002Fapp.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frobo-gallery\u002F5.1.3\u002Fapp\u002Fapp.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frobo-gallery\u002F5.1.2\u002Fapp\u002Fapp.php\t2025-12-28 11:15:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frobo-gallery\u002F5.1.3\u002Fapp\u002Fapp.php\t2026-02-25 11:00:00.000000000 +0000\n@@ -2,7 +2,7 @@\n \n \u002F* \n * Robo Gallery \n-* Version: 5.1.0 - 50521\n+* Version: 5.1.2 - 54264\n * By Robosoft\n *\n * Contact: https:\u002F\u002Frobogallery.co\u002F \n... (truncated)","To exploit this vulnerability, an attacker with Contributor-level permissions must first create or edit a 'robo_gallery' post type. By navigating to the edit page (wp-admin\u002Fpost.php?post=[ID]&action=edit), the attacker captures a valid WordPress nonce. The attacker then submits a POST request to wp-admin\u002Fpost.php using the 'editpost' action, embedding a script payload within the 'post_title' or gallery-specific meta fields such as 'meta_input[robo_gallery_gallery_type_source]'. Once saved, the attacker places the gallery shortcode [robo-gallery id=\"...\"] on a page they can publish. When an administrator or visitor views that page, the plugin retrieves the malicious meta values and renders them without proper sanitization or escaping, triggering the execution of the injected script.","gemini-3-flash-preview","2026-04-20 22:36:00","2026-04-20 22:36:47",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.1.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frobo-gallery\u002Ftags\u002F5.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frobo-gallery.5.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frobo-gallery\u002Ftags\u002F5.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frobo-gallery.5.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frobo-gallery\u002Ftags"]