CVE-2024-38713

Vulnerability

Overview CVE-2024-38713 is a Stored Cross-Site Scripting (XSS) vulnerability in the WP Photo Album Plus plugin for WordPress, affecting versions from n/a through 8.8.02.002. The issue arises from improper neutralization of input during web page generation, allowing attackers to inject arbitrary HTML and JavaScript code that gets stored and executed when visitors access affected pages [1].

Exploitation

Prerequisites Exploitation requires authenticated access with at least the role specified in the advisory (likely Contributor or higher). The attacker must be able to inject malicious payloads into the plugin's input fields, which are then stored and displayed to other users. Successful exploitation also requires a privileged user (e.g., an admin) to perform an action such as clicking a link or visiting a crafted page, as indicated by the CVSS vector requiring user interaction [1].

Impact

If exploited, an attacker can execute arbitrary scripts in the context of the victim's browser, leading to potential consequences such as session hijacking, defacement, redirection to malicious sites, or theft of sensitive data. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting WordPress sites [1].

Mitigation

The vendor has released a patched version 8.8.02.003. Users are strongly advised to update immediately. Alternatively, Patchstack provides a mitigation rule to block attacks until updating is possible [1].