The Photo Gallery by 10Web plugin is a widely used WordPress plugin designed to help users create beautiful and organized image galleries on their websites. This plugin allows website owners to display their images in various formats, enhancing the visual appeal of their site. However, a severe vulnerability (CVE-2024-13124) has been discovered in the plugin, which allows an attacker to inject malicious JavaScript into the gallery’s title field. This Stored Cross-Site Scripting (XSS) vulnerability can lead to the execution of arbitrary scripts, enabling attackers to potentially create backdoor admin accounts and gain unauthorized access to the site. With over 200,000 installations, this flaw poses a significant threat to websites relying on this plugin.

CVECVE-2024-13124
Plugin
Photo Gallery by 10Web – Mobile-Friendly Image Gallery
CriticalHigh
All Time18 934 241
Active installations200 000+
Publicly PublishedMarch 11, 2025
Last UpdatedMarch 11, 2025
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13124
https://wpscan.com/vulnerability/5b3bf87b-73a1-47e8-bb00-0dfded07b191/
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

PSC by Cleantalk

Timeline

December 4, 2024Plugin testing and vulnerability detection in the Photo Gallery by 10Web – Mobile-Friendly Image Gallery have been completed
December 4, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
March 11, 2025Registered CVE-2024-13124

Discovery of the Vulnerability

The vulnerability in the Photo Gallery plugin was identified during a security audit of the plugin’s functionality. The issue lies in the “Gallery Title” field, which fails to properly sanitize input data before storing it in the database. Specifically, attackers can inject malicious JavaScript code into the title field of a gallery. For example, a user could enter a payload like 123" onmouseover=alert(1) into the title field. This script is then stored in the database and executed whenever the gallery is viewed, either by the user or an administrator. The vulnerability is triggered when users hover over the title of the gallery within a “Gallery Group,” causing the injected script to execute.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) is a well-known vulnerability in web applications that allows attackers to inject malicious scripts into web pages viewed by other users. These attacks are typically executed through input fields that fail to properly sanitize data, such as comment sections, form fields, or, in this case, the gallery title field. When XSS vulnerabilities are exploited, attackers can execute arbitrary JavaScript code in the context of the user’s browser, which can lead to session hijacking, data theft, defacing websites, or gaining unauthorized access. A similar example of an XSS vulnerability was found in the WordPress plugin WPForms, where attackers could inject malicious code into form fields. CVE-2024-13124 in the Photo Gallery plugin allows attackers to execute JavaScript by injecting it into the gallery’s title field, leading to serious consequences such as account takeover.

Exploiting the XSS Vulnerability

To exploit CVE-2024-13124, an attacker with editor+ privileges:

POC:

You should create new "Gallery" with title 123" onmouseover=alert(1). Go to "Gallery Groups" and add new group. Add gallery to this group -> Save Settings -> To trigger XSS you should hover on title of gallery inside gallery group (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

____

The risks associated with CVE-2024-13124 are significant. If exploited, an attacker can hijack the session of an administrator or any other user with elevated privileges. By executing JavaScript in the context of the admin user’s browser, the attacker could potentially steal session cookies, allowing them to impersonate the admin and gain full control over the website. Once in control, the attacker could install malicious plugins, modify content, steal sensitive data, or create new admin accounts, ensuring persistent access to the site. In a real-world scenario, an attacker could exploit this vulnerability to deface the website, install malware, or perform other malicious actions. Websites handling sensitive data, such as e-commerce sites, membership platforms, or business websites, are particularly at risk from this vulnerability.

Recommendations for Improved Security

To mitigate the risks posed by CVE-2024-13124, administrators should immediately update the Photo Gallery plugin to the latest version once a patch is available. In addition, administrators should restrict the unfiltered_html capability for non-admin users, particularly editors, to prevent them from injecting JavaScript into plugin settings. Proper input validation and sanitization should be implemented for all user input fields, especially those that affect frontend content. For example, functions like sanitize_text_field() and wp_kses() should be used to filter user input and prevent script execution. Additionally, administrators should regularly conduct security audits and consider implementing Content Security Policies (CSP) to further protect against XSS vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13124, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.
CVE-2024-13124 – Photo Gallery by 10Web – Stored XSS to JS Backdoor Creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *