CVE-2024-2296

Vulnerability

Overview

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via SVG file uploads in all versions up to and including 1.8.21. The root cause is insufficient input sanitization and output escaping when handling SVG files, which allows malicious scripts embedded in the SVG to be stored and later executed in the context of any user visiting the affected page [1].

Attack

Prerequisites and Exploitation

Exploitation requires authenticated access with administrator-level privileges. The vulnerability is only exploitable on multi-site WordPress installations or on single-site installations where the unfiltered_html capability has been disabled. An attacker can upload a crafted SVG file containing JavaScript through the plugin's gallery upload functionality. When the SVG is rendered on a gallery page, the injected script executes in the browser of any user who views that page [1].

Impact

Successful exploitation allows the attacker to inject arbitrary web scripts into the context of the affected gallery page. This can lead to theft of authentication cookies, session tokens, or other sensitive data, as well as unauthorized actions performed on behalf of the victim user, such as page content modification or privilege escalation, depending on the victim's permissions [1].

Mitigation and

Patch Status

The vendor has released version 1.8.22 of the plugin, which resolves the vulnerability by properly sanitizing SVG file uploads. Users are strongly advised to update to version 1.8.22 or later. No workaround is provided besides updating the plugin [1]. Note that CVE-2024-29833 appears to be a duplicate of this issue.