Fortinet Discovers Multiple Cross Site Scripting Vulnerabilities in WordPress Gmedia Gallery Plugin
Fortinet's FortiGuard Labs has discovered multiple cross-site scripting (XSS) vulnerabilities in WordPress Gmedia Gallery plugin.
Gmedia Gallery plugin provides a comprehensive interface for handling galleries, images, video & audio files. With Gmedia Gallery plugin, you can upload an unlimited number of photo and audio files, create dozens of galleries and playlists, group pictures and other files in albums, add tags for each file.
Multiple XSS vulnerabilities have been discovered in Gmedia Gallery plugin (version 1.18.0). These vulnerabilities are caused by improper validation of user input in the album, gallery, category and media upload module. The vulnerability types include both stored and reflected XSS.
SolutionsFortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:
Released Apr 24, 2020
Upgrade to the latest GMedia Photo Gallery Plugin version - V1.18.5
Fortinet reported the vulnerabilities to codeeasily.com on March 23, 2020
Codeeasily confirmed the security fix on April 27, 2020