Description
The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in versions up to, and including, 3.1.31 This is due to an incomplete JavaScript event handler blacklist in the foogallery_sanitize_javascript() function, which blocks only a subset of HTML event attributes (onmouseover, onmouseout, onpointerenter, onclick, onload, onchange, onerror) while permitting others such as 'onmouseenter', combined with the failure to escape the attribute key when building the gallery container HTML in foogallery_build_container_attributes_safe(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-13
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the FooGallery WordPress plugin allows an authenticated user with contributor or higher privileges to inject malicious JavaScript into pages. By supplying a specially crafted value in the 'custom_attribute_key' shortcode parameter, the attacker exploits a missing event‑handler blacklist and an uncoded attribute key when the gallery container is rendered. The injected script runs on page load for any visitor, enabling potential defacement, credential theft, cookie hijacking, and other browser‑based attacks that compromise confidentiality and integrity of the site and its users.

Affected Systems

All installations of the "Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel" plugin with a version of 3.1.31 or earlier are affected. The issue has been fixed in version 3.1.32 and later; any site still running a vulnerable release is at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. The EPSS score is not available, so the current likelihood of exploitation is uncertain, but the vulnerability is not listed in CISA KEV. Attackers must be authenticated and have contributor‑level access to inject the payload, meaning the risk is limited to sites that grant such privileges. Once injected, the exploit is client‑side and can impact every user who views the affected page.

Generated by OpenCVE AI on June 13, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Photo Gallery by FooGallery to version 3.1.32 or later where the whitelist for JavaScript event handlers has been corrected.
  • If upgrading is not immediately possible, reduce the risk by revoking contributor or higher privileges for users who do not require them, or disable the plugin entirely until a patch is applied.
  • As a temporary defensive measure, configure a Content Security Policy header to block inline scripts and disable all event‑handler attributes, or use a WAF rule to reject POST or shortcode data containing suspicious JavaScript attributes.

Generated by OpenCVE AI on June 13, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
Description The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in versions up to, and including, 3.1.31 This is due to an incomplete JavaScript event handler blacklist in the foogallery_sanitize_javascript() function, which blocks only a subset of HTML event attributes (onmouseover, onmouseout, onpointerenter, onclick, onload, onchange, onerror) while permitting others such as 'onmouseenter', combined with the failure to escape the attribute key when building the gallery container HTML in foogallery_build_container_attributes_safe(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel <= 3.1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'custom_attribute_key' Shortcode Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-13T06:47:59.690Z

Reserved: 2026-05-20T18:31:17.531Z

Link: CVE-2026-9134

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-13T07:16:15.107

Modified: 2026-06-13T07:16:15.107

Link: CVE-2026-9134

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T08:30:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')