Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-24291 — Cross-site Scripting in Gallery Team Photo Gallery BY 10web Mobile-friendly Image Gallery

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

14.6%

top 5.51%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Photo Gallery Team Photo Gallery BY 10web Mobile-friendly Image Gallery 10web Photo Gallery

Timeline

PublishedMay 14

Latest updateMay 24

Description

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.69 was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and _id GET parameters passed to the bwg_frontend_data AJAX action (available to both unauthenticated and authenticated users)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5photo_gallery_team/photo_gallery_by_10web_mobile-friendly_image_gallery1.5.69 — 1.5.69

▶NVD10web/photo_gallery< 1.5.69

🔴Vulnerability Details

GHSA

GHSA-69rf-m6w3-jf8j: The Photo Gallery by 10Web â€“ Mobile-Friendly Image Gallery WordPress plugin before 1↗2022-05-24

▶

CVEList

Photo Gallery < 1.5.69 - Multiple Reflected Cross-Site Scripting (XSS)↗2021-05-14

▶

💥Exploits & PoCs

Nuclei

WordPress Photo Gallery by 10Web <1.5.69 - Cross-Site Scripting

▶