CVE-2021-24362

Name of the Vulnerable Software and Affected Versions The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin versions prior to 1.5.75

Description The issue arises from the plugin's failure to ensure that uploaded SVG files added to a gallery do not contain malicious content. This allows users who can add images to the gallery to upload an SVG file containing JavaScript code. When the image is accessed directly, for example in the /wp-content/uploads/photo-gallery/ folder, the JavaScript code is executed, leading to a Cross-Site Scripting (XSS) issue.

Recommendations For versions prior to 1.5.75, update to version 1.5.75 or later to resolve the issue. As a temporary workaround, consider restricting the ability for users to upload SVG files to the gallery until the update is applied. Additionally, restrict access to the /wp-content/uploads/photo-gallery/ folder to minimize the risk of exploitation.