CVE-2014-9441

Name of the Vulnerable Software and Affected Versions Lightbox Photo Gallery plugin version 1.0 for WordPress

Description The issue allows remote attackers to hijack the authentication of administrators for requests, potentially leading to changes in plugin settings or cross-site scripting (XSS) attacks. This can be achieved via unspecified vectors or by exploiting the ll opt[image2 url] or ll opt[image3 url] parameter in a "ll save settings" action to the "wp-admin/admin-ajax.php" API endpoint.

Recommendations For Lightbox Photo Gallery plugin version 1.0, consider disabling the plugin until a patch is available to prevent potential exploitation. Restrict access to the "wp-admin/admin-ajax.php" API endpoint to minimize the risk of cross-site request forgery (CSRF) attacks. Avoid using the ll opt[image2 url] and ll opt[image3 url] parameters in the "ll save settings" action until the issue is resolved.