WordPress Filterable Portfolio Gallery Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Filterable Portfolio Gallery WordPress plugin, version 1.0. This vulnerability allows authenticated attackers to inject malicious JavaScript into the title field, which is then executed when the gallery is previewed. The injected script can be crafted to include image tags with onerror handlers, triggering the execution of the JavaScript for all users viewing the page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the gallery.

Reproduction

To reproduce this vulnerability, install WordPress and activate the Filterable Portfolio Gallery plugin version 1.0. After activation, navigate to the plugin's post type and enter a JavaScript payload into the title field. Save the post and preview it. The injected script will execute, demonstrating the cross-site scripting vulnerability.