CVE-2021-47951
Stored XSS in WordPress Picture Gallery Plugin
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_picture_gallery | picture_gallery | 1.4.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47951 is a stored cross-site scripting (XSS) vulnerability in WordPress Picture Gallery version 1.4.2.
Authenticated attackers can inject malicious JavaScript code through the Edit Content URL field in the Access Control settings.
The injected scripts are stored in the database and executed when the affected functionality is triggered.
This can lead to session hijacking or credential theft.
How can this vulnerability impact me? :
This vulnerability allows attackers to execute malicious JavaScript in the context of the affected website.
- Attackers can hijack user sessions.
- Attackers can steal user credentials.
Such impacts can compromise user accounts and the security of the website.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored cross-site scripting (XSS) through the Edit Content URL field in the Access Control settings of the WordPress Picture Gallery plugin version 1.4.2.
To detect this vulnerability on your system, you can check for suspicious or unexpected JavaScript code stored in the Edit Content URL field within the plugin's Access Control settings in the WordPress admin panel.
Additionally, monitoring HTTP requests and responses for injected JavaScript payloads when accessing the affected functionality can help identify exploitation attempts.
There are no specific commands provided in the resources, but general approaches include:
- Using database queries to inspect the plugin options table for suspicious script tags or JavaScript code in the Edit Content URL field.
- Using web vulnerability scanners that support detection of stored XSS vulnerabilities in WordPress plugins.
- Reviewing web server logs for unusual requests or payloads targeting the plugin's Access Control settings.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the WordPress Picture Gallery plugin to the latest version where this vulnerability is fixed.
If an update is not immediately available, restrict access to the plugin's Access Control settings to trusted administrators only, as the vulnerability requires authenticated access.
Additionally, review and sanitize any input in the Edit Content URL field to remove any malicious scripts.
Implement web application firewall (WAF) rules to detect and block attempts to inject JavaScript payloads through the plugin.
Regularly monitor your site for signs of exploitation such as unexpected script execution, session hijacking, or credential theft.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The stored cross-site scripting (XSS) vulnerability in WordPress Picture Gallery 1.4.2 allows attackers to inject malicious scripts that can lead to session hijacking or credential theft.
Such unauthorized access to user credentials and session data can result in the exposure of personal and sensitive information, which may violate data protection regulations like GDPR and HIPAA that require safeguarding user data against unauthorized access and breaches.
Therefore, this vulnerability poses a risk to compliance with these standards by potentially enabling attackers to compromise confidentiality and integrity of protected data.