Fortinet Discovers WordPress Gallery Plugin - NextGEN Gallery Cross-Site Scripting Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a cross-site scripting vulnerability in WordPress Gallery Plugin - NextGEN Gallery.
NextGEN Gallery has been the industry's standard WordPress gallery plugin since 2007 and continues to receive over 1.5 million new downloads per year. It's easy for simple photo galleries, but powerful enough for the most demanding photographers, visual artists, and imaging professionals.
A cross-site scripting vulnerability has been discovered in NextGEN Gallery 2.2.30 and earlier versions. The vulnerability is caused by an error because the image Alt & Title Text doesn't correctly process user-supplied data.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:Imagely.NextGEN.ImageAttr.XSS
Released Jan 10, 2018
FortiWeb can protect this specific vulnerability since the signature package 12.307.
Users should apply the solution provided by Imagely.
Timeline
Fortinet reported the vulnerability to Imagely on December 22, 2017.
Imagely confirmed the vulnerability on December 27, 2017.
Imagely patched the vulnerability on February 14, 2018.