During testing of the plugin, a vulnerability was discovered that allows you to cause a Stored XSS vulnerability on behalf of an unauthorized user, which will lead to an increase in privileges to the administrator role. The vulnerability is caused by X-Forward-For Header Injection.

Main info:

PluginPhotos and Files Contest Gallery – Contact Form
CriticalVery High
Publicly PublishedOctober 9, 2023
Last UpdatedOctober 9, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
ExploitWill be later
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5307
Plugin Security Certification by CleanTalk


September 29, 2023Plugin testing and vulnerability detection in the Photos and Files Contest Gallery – Contact Form plugin have been completed
September 29, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
October 5, 2023The author has released a fix update
October 9, 2023Registered CVE-2023-5307

Discovery of the Vulnerability

During the rigorous testing of the Photos and Files Contest Gallery – Contact Form plugin, a critical vulnerability was identified. This vulnerability allows unauthorized users to trigger a Stored Cross-Site Scripting (XSS) vulnerability, subsequently elevating their privileges to the administrator role. The root cause of this vulnerability lies in X-Forwarded-For Header Injection.

Understanding of Stored XSS attack’s

Unauthenticated Stored XSS via HTTP Headers refers to a security flaw where malicious code is injected into a web application’s HTTP headers, typically without requiring authentication. When this manipulated header is processed by the application, the injected script is stored in a database or server and later executed when other users visit the affected page.

For instance, consider a scenario where an attacker crafts a malicious HTTP header:

GET /vulnerable-page HTTP/1.1
Host: example.com
X-Forwarded-For: <script>alert(‘XSS Attack!’);</script>

Example of XSS via Header injection

When this request is sent to the vulnerable page, the payload is stored on the server. Subsequently, when other users access the page, the injected script executes, displaying an alert with the message “XSS Attack!”.

Exploiting the Stored XSS

Exploiting the Unauthenticated Stored XSS vulnerability in the Photos and Files Contest Gallery – Contact Form plugin involves an attacker manipulating the X-Forwarded-For HTTP header to inject malicious code. This injected code could include payloads designed to steal user credentials, hijack sessions, or perform actions on behalf of an administrator. Since this vulnerability doesn’t require authentication, attackers can target the vulnerable page directly.


X-Forwarded-For:<img src=x onerror=alert(1)>

This header must be contained in the request body

The potential risks associated with CVE-2023-5307 are substantial. An attacker can gain unauthorized access to administrator privileges, potentially leading to complete control of the website. The consequences of such an attack could include data breaches, content manipulation, and reputational damage.

In a real-world scenario, imagine an attacker exploiting this vulnerability to elevate their privileges to that of an administrator on a website utilizing the Photos and Files Contest Gallery – Contact Form plugin. By injecting malicious code via the X-Forwarded-For header, the attacker can execute arbitrary actions with the highest level of access. This could lead to website compromise, unauthorized content alterations, and data exfiltration.

Recommendations for Improved Security

To mitigate the risks posed by CVE-2023-5307 and enhance the overall security of websites utilizing the Photos and Files Contest Gallery – Contact Form plugin, consider the following recommendations:

  • Update the plugin: Promptly update the plugin to the latest version ( or later), which should include a patch to address this vulnerability.
  • Input validation and sanitization: Implement stringent input validation and data sanitization practices to prevent malicious code injection through HTTP headers.
  • Regular security assessments: Conduct routine security audits and penetration testing to proactively identify and address vulnerabilities.
  • HTTP header security: Configure your web server and application to sanitize and validate incoming HTTP headers effectively.
  • User education: Educate administrators and developers about potential security threats, emphasizing best practices for header security and the importance of timely plugin updates.

By adhering to these recommendations, website administrators can significantly reduce the risk of Unauthenticated Stored XSS attacks via HTTP headers and enhance the overall security posture of their web applications.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2023-5307 – Photos and Files Contest Gallery – Contact Form < – Unauthenticated Stored XSS via HTTP Headers

Leave a Reply

Your email address will not be published. Required fields are marked *