Robo Gallery, a popular WordPress plugin used for displaying photo galleries and sliders, contains a critical vulnerability, CVE-2024-10102. This flaw allows attackers to inject malicious JavaScript code into the plugin’s settings via a simple stored Cross-Site Scripting (XSS) attack. The vulnerability can be exploited by users with contributor privileges, enabling them to create a backdoor in the WordPress admin area. This backdoor can then be used to hijack admin accounts, potentially gaining full control of the website. With over 50,000 active installations, this vulnerability poses a significant risk to sites using Robo Gallery.
| CVE | CVE-2024-10102 |
| Plugin | Photo Gallery, Images, Slider in Rbs Image Gallery < 3.2.22 |
| Critical | High |
| All Time | 2 086 715 |
| Active installations | 50 000+ |
| Publicly Published | December 17, 2024 |
| Last Updated | December 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10102 https://wpscan.com/vulnerability/3b34d1ec-5370-40a8-964e-663f4f9f42f8/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 26, 2024 | Plugin testing and vulnerability detection in the Robo Gallery have been completed |
| September 26, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 17, 2024 | Registered CVE-2024-10102 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of Robo Gallery. The issue lies in the “Padding Left” field when adding an image to a gallery. The plugin fails to properly sanitize user inputs in this field, allowing for the injection of JavaScript. When a contributor-level user enters a malicious payload in the “Padding Left” field (e.g., % onmouseover=alert(1)), the malicious script is saved and rendered on the frontend when the gallery is viewed. This flaw stems from improper input validation and sanitization in fields that are used for styling and content configuration, making it an easy target for attackers with minimal privileges.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities occur when an attacker is able to inject malicious JavaScript into a web page, which is then executed in the browsers of users who visit the page. This type of vulnerability is commonly found in WordPress plugins that handle user-generated content, such as image galleries or form fields. A real-world example of XSS in WordPress occurred in the WPForms plugin, where attackers could inject JavaScript into form fields, which could be executed in the browsers of users who submitted the forms. Similarly, CVE-2024-10102 exploits improper sanitization in Robo Gallery, allowing contributors to inject JavaScript into the “Padding Left” field, which is then executed when the gallery is rendered.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10102, an attacker with contributor-level privileges:
POC:
1) Create a new Robo Gallery 2) Add here any "Image" with any text 3) Put inside "Padding Left" any Malicious JS -> like this " % onmouseover=alert(1)____
The risks associated with CVE-2024-10102 are considerable. A successful exploitation could lead to the hijacking of an administrator’s session, allowing the attacker to gain full control over the WordPress site. Once an attacker has admin access, they can perform a wide range of malicious actions, such as altering content, stealing user data, installing malicious plugins, or even defacing the site. For websites that handle sensitive information, such as e-commerce or membership sites, this vulnerability could lead to data breaches, financial losses, and reputational damage. A real-world scenario might involve an attacker using the XSS vulnerability to gain access to an admin account, giving them the ability to modify site content, change user roles, or access confidential user data. This vulnerability could also serve as an entry point for further attacks, allowing the attacker to target other connected systems.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10102, administrators should immediately update Robo Gallery to the latest patched version as soon as it becomes available. Additionally, administrators should restrict the unfiltered_html capability for non-admin users, particularly contributors, to prevent the injection of JavaScript into plugin settings. Input fields, especially those used for styling or content configuration, should be properly sanitized and validated to prevent malicious script injection. Implementing Content Security Policies (CSP) and conducting regular security audits of WordPress plugins can help detect and block XSS vulnerabilities before they can be exploited. Furthermore, administrators should limit user privileges, ensuring that contributors only have access to the fields they need to perform their tasks. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10102, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
