Zero-Day Advisory
Fortinet Discovers WordPress SimpLy Gallery Blocks Plugin Cross-Site Scripting Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a cross-site scripting (XSS) vulnerability in WordPress SimpLy Gallery Blocks plugin.
SimpLy Gallery Blocks is a friendly, easy-to-use gallery plugin with a list of advanced options for creating responsive Image, Video, Audio galleries. It has over 10,000 active installations.
A stored cross-site
scripting vulnerability has been discovered in Simply Gallery Blocks with
Lightbox. The vulnerability exists in the
Lightbox functionality where a user with low privileges is allowed to execute
arbitrary script code within the context of the application. This vulnerability
is caused by insufficient validation of image meta data.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:WordPress.Plugin.Simply.Gallery.Block.Lightbox.XSS
Released Aug 11, 2021
Upgrade to the version 2.2.1 or above.
Timeline
Fortinet reported the vulnerability to Wordpress Plugins Team on August 9, 2021.
Galleryblocks Team confirmed the vulnerability on August 9, 2021.
Galleryblocks Team patched the vulnerability on August 12, 2021.