CVE-2024-44043

The 10Web Photo Gallery plugin for WordPress (versions up to and including 1.8.27) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This allows an authenticated user with low-level privileges to inject arbitrary JavaScript or HTML into gallery pages.

To exploit this vulnerability, an attacker must have contributor-level access or higher to the WordPress site. The injected payload is stored on the server and executed in the browsers of other users, including administrators and visitors, when they view the affected gallery pages. User interaction is required for the initial injection, but subsequent execution is automatic.

Successful exploitation enables an attacker to perform actions such as redirecting visitors to malicious sites, displaying advertisements, or stealing session cookies. This type of vulnerability is commonly used in mass-exploit campaigns targeting multiple WordPress sites simultaneously [1].

The vendor released version 1.8.28 to fix the issue. Users are strongly advised to update the plugin immediately. For sites that cannot be updated immediately, temporary mitigation includes restricting contributor-level access and using a web application firewall [1].