– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-13612:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Album and Image Gallery plus Lightbox WordPress plugin. The vulnerability affects the plugin’s `aigpl-gallery-album` shortcode handler in versions up to and including 2.1.7. Attackers with contributor-level access or higher can inject malicious scripts via shortcode attributes, which execute when users view pages containing the manipulated shortcode.

The root cause is insufficient input sanitization and output escaping of user-supplied shortcode attributes. The vulnerable code resides in `/includes/shortcode/aigpl-gallery-album.php` within the `aigpl_gallery_album_shortcode()` function. Specifically, the `content_tail` parameter (line 81 in the diff) is processed using `html_entity_decode()` without subsequent sanitization before being output in the rendered HTML. This allows attackers to inject JavaScript payloads that persist in the database and execute when the page loads.

Exploitation requires an authenticated attacker with at least contributor privileges to create or edit posts containing the `[aigpl-gallery-album]` shortcode. The attacker would craft a malicious shortcode with a `content_tail` parameter containing JavaScript, such as `[aigpl-gallery-album content_tail=”…alert(document.cookie)”]`. When this post is saved and later viewed by any user, the script executes in the victim’s browser context.

The patch in version 2.1.8 addresses the vulnerability by applying proper sanitization to the `content_tail` parameter. The diff shows line 81 changed from `$content_tail = html_entity_decode( $content_tail );` to `$content_tail = sanitize_text_field( $content_tail );`. This replacement ensures that any HTML or script content in the parameter is converted to plain text before being included in the output. The patch also adds sanitization to other user inputs throughout the codebase, including `$album_ses` parameter handling and various admin functions.

Successful exploitation allows attackers to perform actions within the victim’s WordPress session, including stealing authentication cookies, performing administrative actions, redirecting users to malicious sites, or defacing websites. Since the XSS is stored, a single injection affects all users who view the compromised page, potentially leading to widespread account compromise and site takeover.