Easy Social Photos Gallery Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Easy Social Photos Gallery plugin for WordPress, affecting all versions through 3.1.2. The issue arises in the 'my-instagram-feed' shortcode, specifically through the 'wrapper_class' attribute. The vulnerability is due to inadequate input sanitization and output escaping of user-supplied attributes. The plugin improperly uses sanitize_text_field() instead of esc_attr() when rendering the 'wrapper_class' attribute within a double-quoted HTML class attribute. This oversight allows an attacker to escape the class attribute and inject arbitrary HTML event handlers. As a result, authenticated attackers with contributor-level access or higher can insert arbitrary web scripts into pages, which will execute when a user visits the affected page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an authenticated user with contributor-level access or higher can add the 'my-instagram-feed' shortcode to a post or page, including a malicious script in the 'wrapper_class' attribute. Once the shortcode is saved, the injected script will execute when the page is viewed.

Remediation

No known patch is available. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.