During the rigorous testing of the Photos and Files Contest Gallery – Contact Form plugin, a critical vulnerability was identified. This vulnerability allows unauthorized users to trigger a Stored Cross-Site Scripting (XSS) vulnerability, subsequently elevating their privileges to the administrator role. The root cause of this vulnerability lies in X-Forwarded-For Header Injection.
CVE-2023-5307 – Photos and Files Contest Gallery – Contact Form < 21.2.8.1 – Unauthenticated Stored XSS via HTTP Headers
