Stored Cross-Site Scripting Vulnerability in Photo Gallery by 10Web Plugin
CVE-2024-10704

Currently unrated

Key Information:

Vendor
Wordpress
Status
Photo Gallery By 10web
Vendor
CVE Published:
29 November 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

The Photo Gallery by 10Web WordPress plugin, prior to version 1.8.31, contains a critical stored cross-site scripting (XSS) vulnerability. This flaw originates from the plugin's failure to properly sanitize and escape certain settings, enabling high-privilege users, such as administrators, to execute harmful scripts. Importantly, this vulnerability may be exploited even in environments where the unfiltered_html capability is restricted, such as multisite configurations. As a result, this presents a significant risk for WordPress sites utilizing this plugin, highlighting the necessity for prompt updating and vigilant security practices.

Affected Version(s)

Photo Gallery by 10Web 0 < 1.8.31

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10704 - Proof of Concept

References

https://wpscan.com/vulnerability/6c115117-11c0-4c9e-9988-...
exploitvdb-entrytechnical-description

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
WPScan
.