Plugin vulnerable to XSS on parameter names
-
I have the most recent versions of the NextGen Gallery WordPress plugin and the NextGen Gallery Pro WordPress plugin. I checked the first 5 pages of the forum and couldn’t find anything dealing with my issue, and I searched Google for “WordPress plugin nextgen gallery xss” and the most recent article that came up was from four years ago. This is not an issue caused by an upgrade. All of the server hosting questions from your READ THIS post passed. We’re hosted with GoDaddy, running the Avada them, and I’ve verified that this issue persists when I activate the newest version of the TwentyFourteen theme and only the two NextGen Gallery plugins that we have on the site. I believe that is all the information you asked for.
I was recently contacted by GoDaddy. They reported that the NextGen gallery was making our pages/posts vulnerable to cross-scripting attacks through parameter names. They reported the vulnerability to us as the following url trailer to our posts (www.mysite.com/post_name/trailer…)
nggallery/page/2?"><script>alert(303);</script>I’ve verified that the issue was present before I upgraded to the newest version of the base plugin (WordPress and the pro plugin were already at the newest verion), and also after I upgraded the base plugin.
Any help with this would be appreciated. Thanks.
- The topic ‘Plugin vulnerable to XSS on parameter names’ is closed to new replies.
