CVE-2024-9878 — Cross-site Scripting in Photo Gallery

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

4.8MEDIUMNVD

CNA4.4

EPSS

0.4%

top 38.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

10web Photo Gallery 10web Photo Gallery BY 10web Mobile-friendly Image Gallery

Timeline

PublishedNov 5

Description

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and in…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶CVEListV510web/photo_gallery_by_10web_mobile-friendly_image_gallery1.8.30

▶NVD10web/photo_gallery< 1.8.31

Patches

Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

Photo Gallery by 10Web <= 1.8.30 - Authenticated (Administrator+) Stored Cross-Site Scripting↗2024-11-05

▶

GHSA

GHSA-5mhc-5mf7-5pjm: The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all↗2024-11-05

▶