The Photo Gallery by 10Web plugin, widely used for managing and displaying image galleries in WordPress, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10704. This flaw allows attackers with editor-level access to inject malicious JavaScript code into the “Gallery Title” field, which is then stored and executed on the site. By exploiting this vulnerability, attackers can create a backdoor for executing arbitrary JavaScript, potentially leading to account takeover and full site compromise. With over 200,000 active installations, this vulnerability represents a significant security risk to WordPress users.
| CVE | CVE-2024-10704 |
| Plugin | Photo Gallery by 10Web < 1.8.31 |
| Critical | High |
| All Time | 18 211 144 |
| Active installations | 200 000+ |
| Publicly Published | November 14, 2024 |
| Last Updated | November 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10704 https://wpscan.com/vulnerability/6c115117-11c0-4c9e-9988-8547c9364c01/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| October 17, 2024 | Plugin testing and vulnerability detection in the Photo Gallery by 10Web have been completed |
| October 17, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 14, 2024 | Registered CVE-2024-10704 |
Discovery of the Vulnerability
During a security audit of the Photo Gallery by 10Web plugin, it was discovered that the plugin does not properly sanitize inputs in the “Gallery Title” field. This oversight allows an attacker with editor-level privileges to inject malicious JavaScript code into the title field, which is stored in the WordPress database and rendered without proper sanitization when viewed. The issue arises from the plugin’s failure to sanitize the input field adequately, enabling malicious scripts to be executed whenever the gallery is accessed. This flaw poses a significant risk as editors, who typically have limited privileges, can exploit this vulnerability to inject scripts, creating a backdoor for unauthorized access.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common types of vulnerabilities in web applications, including WordPress plugins. XSS occurs when an attacker is able to inject malicious scripts into webpages, which are then executed in the browser of users who visit the page. These scripts can steal sensitive data, hijack sessions, or perform actions on behalf of the user. In WordPress, XSS vulnerabilities often appear in user-generated content fields where input is not properly sanitized before being displayed on the site. A notable example is the vulnerability found in the WordPress plugin WPForms, where malicious scripts were injected into form fields, leading to session hijacking and other exploits. CVE-2024-10704 similarly exploits improper input sanitization, allowing attackers to inject JavaScript into the gallery settings and execute it when the gallery is accessed.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10704, an attacker with editor-level privileges:
POC:
You should create new "Gallery". You should change "Gallery Title" field to "Malicious JS code eval() and etc. For example test','bwg-hidden');alert(1123123);// -> Save Settings____
The potential risks associated with CVE-2024-10704 are considerable. If exploited, an attacker could create a persistent backdoor that grants unauthorized access to the WordPress site. This could result in session hijacking, where the attacker impersonates legitimate users, or the creation of a backdoor admin account, which would allow the attacker to take full control of the site. In a real-world scenario, an attacker could modify the gallery’s content, steal sensitive data, inject additional malicious scripts into the site, or install malware. For websites that store sensitive information or rely on the integrity of their content, such as e-commerce sites or membership-based platforms, this vulnerability could lead to severe financial, reputational, and data security consequences. Furthermore, this vulnerability could be leveraged as part of a larger attack, where the attacker gains control over other sites or systems connected to the WordPress installation.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10704, it is crucial for administrators to update the Photo Gallery by 10Web plugin to the latest version as soon as a patch is released. In addition, administrators should restrict access to plugin settings like the “Gallery Title” field for non-admin users, especially those with limited privileges like editors. Ensuring that all user inputs, particularly in fields like titles and descriptions, are properly sanitized before being stored and rendered is essential to prevent XSS attacks. It is also recommended to limit the unfiltered_html capability for non-admin users, which would prevent them from injecting JavaScript into posts, pages, and plugin settings. Regular security audits, the use of security plugins, and the implementation of Content Security Policies (CSP) can further help to detect and mitigate the impact of such vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10704, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
