CVE-2021-47929 Overview
CVE-2021-47929 is a stored cross-site scripting (XSS) vulnerability in the Filterable Portfolio Gallery WordPress plugin version 1.0. Authenticated attackers can inject malicious JavaScript through the gallery title field. The payload persists in the database and executes in any browser that renders the gallery preview. The flaw is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
An authenticated low-privilege user can plant persistent JavaScript that runs in the session of any administrator or visitor viewing the gallery, enabling session theft, account takeover, and arbitrary actions in the WordPress admin context.
Affected Products
- WordPress plugin Filterable Portfolio Gallery (FG Gallery) version 1.0
- WordPress sites using the fg-gallery plugin with affected versions installed
- Any user environment rendering stored gallery titles without sanitization
Discovery Timeline
- 2026-05-10 - CVE-2021-47929 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2021-47929
Vulnerability Analysis
The Filterable Portfolio Gallery plugin accepts user-supplied content in the gallery title field without applying output encoding or input sanitization. When an authenticated user enters JavaScript in this field, the plugin stores the raw value in the WordPress database. The stored payload is later rendered inside the gallery preview view, where the browser parses it as executable HTML. The result is a persistent XSS condition that triggers automatically whenever the affected page is loaded.
Exploitation requires only contributor- or editor-level credentials, since the title field is reachable through the standard plugin interface. The attack surface is exposed over the network, and execution depends on a victim loading the gallery view. Because the script runs in the context of the WordPress origin, an attacker can read cookies, exfiltrate nonces, perform CSRF-protected administrative actions, or pivot to deliver malware to site visitors.
Root Cause
The root cause is missing output escaping on a stored user-controlled field. The plugin does not pass the title through WordPress helper functions such as esc_html(), esc_attr(), or wp_kses_post() before echoing it into the page. This permits any HTML tag, including <img> with an onerror handler or <script> blocks, to be rendered verbatim.
Attack Vector
An attacker authenticates to the WordPress instance, navigates to the plugin's gallery creation interface, and submits a payload such as an image tag with a malformed source and an onerror JavaScript handler in the title field. The payload is saved to the database. When an administrator or visitor previews the gallery, the browser attempts to load the broken image, triggers the onerror handler, and executes the injected JavaScript in the victim's session context.
A public proof of concept is available at Exploit-DB #50458, and a technical write-up is published in the VulnCheck Advisory for XSS.
Detection Methods for CVE-2021-47929
Indicators of Compromise
- Gallery title fields containing HTML tags such as <script>, <img onerror=>, <svg onload=>, or encoded variants stored in the wp_posts or plugin-specific tables
- Unexpected outbound requests from administrator browsers to attacker-controlled domains shortly after viewing gallery pages
- New or modified WordPress administrator accounts created soon after a low-privilege user edited a gallery entry
- Browser console errors referencing failed image loads on gallery preview pages
Detection Strategies
- Query the WordPress database for gallery records whose title fields contain angle brackets, javascript:, onerror, onload, or <script substrings
- Inspect HTTP responses returned by gallery preview endpoints for unescaped HTML originating from user input
- Review WordPress audit logs for gallery create or update events performed by non-administrator accounts
- Correlate authentication events for contributor or editor roles with subsequent administrator session anomalies
Monitoring Recommendations
- Enable a web application firewall rule set that flags HTML tags submitted to plugin form fields
- Monitor endpoint browser telemetry on administrator workstations for script execution originating from the WordPress admin origin
- Alert on Content Security Policy (CSP) violation reports from pages rendered by the gallery plugin
- Track plugin file integrity to detect tampering or unexpected version changes
How to Mitigate CVE-2021-47929
Immediate Actions Required
- Audit installed WordPress plugins and remove or deactivate Filterable Portfolio Gallery version 1.0 until a patched release is confirmed
- Restrict authoring privileges so that only trusted accounts can create or edit gallery entries
- Force password resets and invalidate active sessions for all administrator accounts if exploitation is suspected
- Sanitize existing gallery title records in the database to strip stored HTML payloads
Patch Information
No vendor patch has been referenced in the available advisories for Filterable Portfolio Gallery 1.0. Site operators should monitor the WordPress FG Gallery Plugin page and the Filterable Portfolio Home site for an updated release. Until a fix is published, removal of the plugin is the most reliable remediation.
Workarounds
- Replace the plugin with a maintained alternative that performs proper output escaping on user-supplied gallery metadata
- Deploy a Content Security Policy that disables inline script execution and restricts script sources to trusted origins
- Apply a WAF virtual patch that blocks HTML tags in POST parameters targeting the gallery plugin endpoints
- Limit the WordPress role capabilities so that only administrators can publish gallery content, reducing the pool of accounts able to plant stored payloads
# Configuration example: WordPress role hardening and CSP header via .htaccess
# 1) Remove the vulnerable plugin
wp plugin deactivate fg-gallery
wp plugin delete fg-gallery
# 2) Add a strict Content Security Policy header
# Append to .htaccess at the WordPress root
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'"
# 3) Restrict gallery editing capability to administrators only
wp cap remove editor edit_published_posts
wp cap remove contributor edit_posts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
