CVE-2023-6924
Description
The Photo Gallery by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widgets in versions up to, and including, 1.8.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. It can also be exploited with a contributor-level permission with a page builder plugin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Photo Gallery by 10Web plugin up to 1.8.18 allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts via widget attributes.
Vulnerability
The Photo Gallery by 10Web plugin for WordPress versions up to and including 1.8.18 contains a stored cross-site scripting (XSS) vulnerability in its widget functionality. The plugin's widgets (WidgetSlideshow.php, Widget.php, WidgetTags.php) accept user-supplied attributes such as width, height, and other parameters without proper input sanitization or output escaping [2][3][4]. This allows authenticated users to inject arbitrary HTML and JavaScript into the widget output, which is then stored and executed when a page containing the widget is viewed.
Exploitation
An attacker must have an account with administrator-level permissions on the WordPress site to access the widget settings and inject malicious payloads. The official description also notes that a contributor-level user can exploit this vulnerability if a page builder plugin is used to provide widget attribute controls. The attacker would craft a malicious value (e.g., a JavaScript event handler) for a widget attribute, save the widget, and the injected script will execute for any user visiting the page where the widget is displayed. No additional user interaction is required beyond the initial save.
Impact
Successful exploitation leads to stored cross-site scripting. Attacker-supplied scripts execute in the context of the victim's browser, potentially allowing session cookie theft, redirection to malicious sites, defacement, or other actions that the compromised WordPress user could perform. The issue affects any page that includes the affected widget, and the stored script persists until the widget is edited or removed.
Mitigation
The vulnerability is fixed in version 1.8.19 of the Photo Gallery plugin. Users should update to 1.8.19 or later, which includes proper input sanitization and output escaping for widget attributes [1]. Plugin administrators can check for updates in the WordPress admin dashboard or download the latest version from the WordPress plugin repository. There are no known workarounds for earlier versions; updating is the recommended mitigation.
- Photo Gallery by 10Web – Mobile-Friendly Image Gallery
- https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.18/admin/views/WidgetSlideshow.php#L64
- https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.18/admin/views/Widget.php#L94
- https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.18/admin/views/WidgetTags.php#L58
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.8.18
Patches
1r3013021Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/changeset/3013021/photo-gallerynvdPatch
- www.wordfence.com/threat-intel/vulnerabilities/id/21b4d1a1-55fe-4241-820c-203991d724c4nvdThird Party Advisory
- plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.18/admin/views/Widget.phpnvdIssue Tracking
- plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.18/admin/views/WidgetSlideshow.phpnvdIssue Tracking
- plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.18/admin/views/WidgetTags.phpnvdIssue Tracking
News mentions
0No linked articles in our index yet.