Medium severity6.5NVD Advisory· Published Jun 6, 2024· Updated Apr 8, 2026

CVE-2024-4194

Description

The The Album and Image Gallery plus Lightbox plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Affected products

Essentialplugin/Album And Image Gallery Plus Lightbox
cpe:2.3:a:essentialplugin:album_and_image_gallery_plus_lightbox:*:*:*:*:free:wordpress:*:*
Range: <2.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.wordfence.com/threat-intel/vulnerabilities/id/4822f1c7-3f83-416c-8957-17e4b53d7e69nvdThird Party Advisory
plugins.trac.wordpress.org/browser/album-and-image-gallery-plus-lightbox/trunk/includes/shortcode/aigpl-gallery-album-slider.phpnvdProduct
plugins.trac.wordpress.org/browser/album-and-image-gallery-plus-lightbox/trunk/includes/shortcode/aigpl-gallery-album.phpnvdProduct
plugins.trac.wordpress.org/changesetnvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000