The Photo Gallery, Images, Slider in Rbs Image Gallery plugin is a widely used tool for managing and displaying galleries, sliders, and images within WordPress websites. This plugin offers a variety of features to enhance the visual experience of WordPress sites, with over 50,000 active installations. However, a critical security vulnerability—CVE-2024-10144—has been discovered, allowing attackers to inject malicious JavaScript (JS) code. This vulnerability enables attackers to escalate their privileges, resulting in the potential creation of an admin account through a stored XSS attack. This vulnerability exposes sites to a range of malicious activities, including unauthorized access and potential data breaches.
| CVE | CVE-2024-10144 |
| Plugin | Photo Gallery, Images, Slider in Rbs Image Gallery < 3.2.22 |
| Critical | High |
| All Time | 2 129 444 |
| Active installations | 50 000+ |
| Publicly Published | March 11, 2025 |
| Last Updated | March 11, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10144 https://wpscan.com/vulnerability/a83521d3-0aba-493d-8dec-e764277e69b8/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 25, 2024 | Plugin testing and vulnerability detection in the Photo Gallery, Images, Slider in Rbs Image Gallery have been completed |
| September 25, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| March 11, 2025 | Registered CVE-2024-10144 |
Discovery of the Vulnerability
CVE-2024-10144 was discovered during a security audit of the Photo Gallery, Images, Slider in Rbs Image Gallery plugin. The vulnerability lies in the “Title” field for images within the gallery settings. When users upload or modify images, the plugin does not properly sanitize or validate the input in the Title field. This oversight allows contributors or users with lower privileges to inject arbitrary JavaScript code. Once the injected script is saved, it is stored in the WordPress database and executed when an admin views the gallery. This flaw makes it possible for attackers to escalate their privileges from a contributor or other low-level user role to an admin, which could lead to full site control.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are one of the most common and dangerous types of security flaws found in web applications. They occur when an application allows users to inject and execute malicious scripts in the browser of a victim, such as administrators or other users with elevated privileges. In WordPress, XSS vulnerabilities can allow attackers to steal session cookies, hijack accounts, modify content, or even execute administrative commands. Real-world examples of XSS attacks in WordPress include incidents in plugins like WPForms, which allowed attackers to execute JavaScript payloads in form fields, leading to unauthorized access and actions on the site. Similarly, CVE-2024-10144 enables attackers to exploit the XSS vulnerability to perform unauthorized actions, such as creating new admin accounts.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10144, an attacker with contributor+ privileges:
POC:
1) Create a new Robo Gallery 2) Add here any "Image" -> Replace all null fields with some text. 3) Put inside Title of Image any Malicious JS -> like this <img src=x onerror=alert(1)>____
The risks associated with CVE-2024-10144 are significant, particularly for WordPress websites that rely on the Photo Gallery plugin for visual content display. In a real-world scenario, an attacker could exploit this vulnerability to escalate from a low-privileged contributor to an admin. Once the attacker has admin access, they can perform a variety of malicious actions, such as installing malware, stealing user data, or even deleting important site files. The attacker could also add more backdoors, making it difficult for the legitimate site administrators to detect and remove the threat. This vulnerability is especially dangerous for e-commerce sites, membership platforms, or any site that handles sensitive user data, as it could lead to data leaks, account takeovers, and loss of control over the website.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10144, it is essential for users of the Photo Gallery, Images, Slider in Rbs Image Gallery plugin to update to the latest version once a patch is released. Plugin developers should implement proper input validation and output encoding to sanitize all user-supplied data, particularly in fields that are rendered as HTML, such as the “Title” field. Functions like esc_html() and wp_kses() should be used to prevent malicious code from being executed. Additionally, WordPress site administrators should limit the ability to modify gallery settings to trusted roles and regularly audit their plugins for vulnerabilities. Using a Web Application Firewall (WAF) and conducting regular security scans can help detect and block XSS attacks before they cause harm. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10144, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.