XenForo Media Gallery 1.0.9 Released (Security Fix)

We have recently become aware of a security issue within XenForo Media Gallery and have released a patch and new version (XenForo Media Gallery 1.0.9) to resolve this issue. We strongly recommend all XenForo Media Gallery customers follow the steps below to resolve this issue.

The issue is a cross site scripting (XSS) flaw that could allow an attacker to steal cookies or force a user to take actions without their consent or knowledge (possibly including administrative actions).

We would like to thank @TickTackk for bringing this to our attention.

If you have any questions relating to installing this patch or upgrading to the new version, please post in the Media Gallery Support forum.

Method 1: Upgrade to the New Version

The security fix can be applied by downloading XenForo Media Gallery 1.0.9 from your customer area and upgrading XenForo Media Gallery as normal.

This release also fixes an issue with view permissions not being set on new installs for the Example Category.

Method 2: Install the Patch

Download the patch zip file attached to the end of this message. It contains 8 files:
  • js/xengallery/media_add.js
  • js/xengallery/media_lightbox.js
  • js/xengallery/min/media_add.js
  • js/xengallery/min/media_lightbox.js
  • library/XenGallery/ViewPublic/Media/BbCode.php
  • library/XenGallery/ViewPublic/Media/DoUpload.php
  • library/XenGallery/ViewPublic/Media/Edit.php
  • library/XenGallery/ViewPublic/Media/PreviewVideo.php
These 8 files should be uploaded to your server, overwriting the existing files of the same names.

Note that this patch supersedes version 1.0.8, therefore you only need to apply this patch to resolve the issues.

Note that with this method there is no outward indication that the patch has been applied. We recommend upgrading if possible.


  • xfmg_patch_109.zip
    43.9 KB · Views: 187