The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Loading Label' setting in all versions up to, and including, 5.1.3. The plugin uses a custom `|***...***|` marker pattern in its `fixJsFunction()` method to embed raw JavaScript function references within JSON-encoded configuration objects. When a gallery's options are rendered on the frontend, `json_encode()` wraps all string values in double quotes. The `fixJsFunction()` method then strips the `"|***` and `***|"` sequences, effectively converting a JSON string value into raw JavaScript code. The Loading Label field (stored as `rbs_gallery_LoadingWord` post_meta) is an `rbstext` type field that is sanitized with `sanitize_text_field()` on save. While this strips HTML tags, it does not strip the `|***...***|` markers since they contain no HTML. When a user inputs `|***alert(document.domain)***|`, the value passes through sanitization intact, is stored in post_meta, and is later retrieved and output within an inline `<script>` tag via `renderMainBlock()` with the quote markers stripped — resulting in arbitrary JavaScript execution. The gallery post type uses `capability_type => 'post'`, allowing Author-level users to create galleries. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page containing the gallery shortcode.
The Robo Gallery WordPress plugin versions up to 5.1.3 contain a Stored Cross-Site Scripting vulnerability in the Loading Label setting that allows authenticated users to inject malicious JavaScript code. The vulnerability exploits a custom marker pattern used to embed JavaScript functions within JSON configuration objects that is not properly sanitized.
تحتوي إضافة Robo Gallery لـ WordPress على ثغرة Stored XSS في حقل Loading Label حيث تستخدم الإضافة نمط علامات مخصص |***...***| لتضمين مراجع دوال JavaScript في كائنات JSON. عند حفظ البيانات، تقوم الدالة sanitize_text_field() بإزالة علامات HTML لكن لا تزيل النمط المخصص، مما يسمح بحقن كود JavaScript ضار. يمكن للمستخدمين المصرح لهم بتحرير المعارض تنفيذ كود JavaScript تعسفي في متصفحات الزوار.
The Robo Gallery WordPress plugin versions up to 5.1.3 contain a Stored Cross-Site Scripting vulnerability in the Loading Label setting that allows authenticated users to inject malicious JavaScript code. The vulnerability exploits a custom marker pattern used to embed JavaScript functions within JSON configuration objects that is not properly sanitized.
Update the Robo Gallery plugin to version 5.1.4 or later immediately. If immediate update is not possible, restrict access to gallery settings to trusted administrators only and implement Web Application Firewall rules to detect and block the |***...***| marker pattern in POST requests.
قم بتحديث إضافة Robo Gallery إلى الإصدار 5.1.4 أو أحدث فوراً. إذا لم يكن التحديث الفوري ممكناً، قيد الوصول إلى إعدادات المعرض للمسؤولين الموثوقين فقط وطبق قواعد جدار الحماية لتطبيقات الويب للكشف عن نمط |***...***| وحجبه.