CVE-2015-1394: 
WordPress vulnerability analysis and mitigation

Multiple cross-site scripting (XSS) vulnerabilities were discovered in the Photo Gallery plugin before version 1.2.11 for WordPress. The vulnerability was identified on January 20, 2015, and affects authenticated users who can upload pictures to galleries. The plugin had over half a million downloads at the time of discovery (Bugtraq).

The vulnerability exists in the wp-admin/admin-ajax.php endpoint when processing various parameters during image upload. Eight parameters were found to be vulnerable to XSS: sort_by, sort_order, items_view, dir, clipboard_task, clipboard_files, clipboard_src, and clipboard_dest. The sort_by parameter could be exploited via GET request, while others required POST requests. The vulnerability has a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated users to inject arbitrary web script or HTML via multiple parameters. This could enable attackers to perform website spoofing or inject malicious JavaScript code to use attacking tools like BeEF against other WordPress backend users (Bugtraq).

Users should update to Photo Gallery version 1.2.11 or later which contains fixes for these vulnerabilities. The vendor was informed on January 21, 2015, responded on January 23, 2015, and released a fix on January 25, 2015 (Bugtraq).