CVE-2024-8670 reveals a critical Stored Cross-Site Scripting (XSS) vulnerability in the Photo Gallery by 10Web plugin, a popular WordPress plugin with over 200,000 installations. This vulnerability allows contributors or editors to inject malicious JavaScript (JS) into the gallery settings, specifically in the “Title” field. Exploiting this vulnerability can lead to admin account hijacking, persistent backdoor creation, and potential long-term control of the WordPress site.
| CVE | CVE-2024-8670 |
| Plugin | Photo Gallery by 10Web < 1.8.29 |
| Critical | High |
| All Time | 18 517 783 |
| Active installations | 200 000+ |
| Publicly Published | September 14, 2024 |
| Last Updated | September 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8670 https://wpscan.com/vulnerability/50665594-778b-42f5-bfba-2a249a5e0260/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| August 6, 2024 | Plugin testing and vulnerability detection in the Photo Gallery by 10Web have been completed |
| August 6, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| September 14, 2024 | Registered CVE-2024-8670 |
Discovery of the Vulnerability
During routine security testing of the Photo Gallery by 10Web plugin, it was discovered that the “Title” field in gallery settings does not properly sanitize input. This oversight allows an attacker to embed harmful JavaScript, which then executes whenever an administrator or another privileged user views the gallery.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a common and dangerous web vulnerability that occurs when web applications fail to properly sanitize user inputs. Stored XSS, as seen in CVE-2024-8670, is particularly hazardous because the malicious script is saved in the database and executed whenever the infected content is accessed.
In the context of WordPress plugins, XSS vulnerabilities can enable attackers to hijack user sessions, steal sensitive data, or escalate privileges. For example, by embedding JavaScript in the Photo Gallery’s “Title” field, an attacker can execute code whenever a privileged user accesses the gallery, potentially leading to unauthorized account access or site manipulation.
Exploiting the XSS Vulnerability
To exploit CVE-2024-8670, an attacker with editor or contributor-level access can create a new gallery in the Photo Gallery by 10Web plugin. By inserting a payload such as:
POC:
You should create new "Gallery". You should change "Title" field in gallery settings to "Malicious JS code eval() and etc. For example 123" onmouseover=alert(1)// -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-8670 are substantial. Successful exploitation can lead to full site takeover, data breaches, or the installation of persistent backdoors. High-traffic sites or business platforms using Photo Gallery by 10Web are particularly vulnerable, as attackers could exploit the site to steal sensitive data or redirect users to malicious sites.
In a real-world scenario, attackers could use this vulnerability to steal credentials, install malware, or manipulate site content. The ability to create backdoors also enables attackers to retain control over the site even after the initial vulnerability is discovered and patched, leading to long-term security risks.
Recommendations for Improved Security
To mitigate the risks of CVE-2024-8670, WordPress administrators should update the Photo Gallery by 10Web plugin to the latest version as soon as a patch is available. Developers must ensure that all input fields, particularly the “Title” field, are properly sanitized to prevent the injection of JavaScript or other malicious code.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-8670, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
