CVE-2021-24291

Name of the Vulnerable Software and Affected Versions The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin versions prior to 1.5.69

Description The issue concerns Reflected Cross-Site Scripting (XSS) problems. The vulnerability can be exploited via the gallery id, tag, album id, and id GET parameters passed to the "bwg frontend data" AJAX action. This action is accessible to both unauthenticated and authenticated users.

Recommendations For versions prior to 1.5.69, update to version 1.5.69 or later to resolve the issue. As a temporary workaround, consider restricting access to the "bwg frontend data" AJAX action to minimize the risk of exploitation. Avoid using the gallery id, tag, album id, and id parameters in the affected AJAX endpoint until the issue is resolved.