Reflected Cross-Site Scripting Vulnerability in Exhibit to WP Gallery WordPress Plugin
CVE-2024-12096
Key Information:
- Vendor
- WordPress
- Status
- Exhibit To WP Gallery
- Vendor
- CVE Published:
- 24 December 2024
Badges
Summary
The Exhibit to WP Gallery WordPress plugin, up to version 0.0.2, contains a vulnerability that allows for reflected cross-site scripting (XSS) attacks. This issue arises from the lack of proper sanitization and escaping of a specific parameter before it is rendered on the web page. Attackers could exploit this weakness to inject malicious scripts, posing a significant risk, especially to users with elevated privileges, such as administrators. Administrators unaware of this vulnerability may inadvertently expose their sites to unauthorized actions or data theft. To mitigate risks, it's recommended to update the plugin and implement security best practices for WordPress.
Affected Version(s)
Exhibit to WP Gallery 0 <= 0.0.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved