SB2017051218 - XSS in Tribulant Slideshow Gallery plugin for WordPress

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2018-17946)

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in the id, method, Gallerymessage, Galleryerror, or Galleryupdated parameter. A remote attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• http://www.defensecode.com/advisories/DC-2017-01-014_WordPress_Tribulant_Slideshow_Gallery_Plugin_Advisory.pdf
• https://wordpress.org/plugins/slideshow-gallery/#developers