Fortinet Discovers WordPress FooGallery Lightbox Cross Site Scripting Vulnerability
Fortinet's FortiGuard Labs has discovered a cross-site scripting (XSS) vulnerability in WordPress FooGallery Plugin.
FooGallery is an easy-to-use WordPress gallery plugin, with stunning gallery layouts. It is also responsive, retina-ready and supports lazy loading for lightning fast photo galleries. It's a popular plugin with over 200,000 installations.
The vulnerability is caused by improper sanitization of user input in the image title or caption parameters in the gallery media upload editor. Thereby it can lead to an XSS in the default lightbox feature.
SolutionsFortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:
Released May 08, 2020
Update to the version 1.9.25 or above.
Fortinet reported the vulnerability to FooPlugins on April 10, 2020
FooPlugins confirmed the vulnerability on April 16, 2020
FooPlugins released patch for the vulnerability on May 4, 2020
This vulnerability was discovered by VishnuPriya Ilango of Fortinet's FortiGuard Labs.