CVE-2024-29832

Name of the Vulnerable Software and Affected Versions admin-ajax.php (affected versions not specified)

Description The issue concerns a reflected Cross Site Scripting vulnerability in the "current url" parameter of the AJAX call to the "GalleryBox" action of admin-ajax.php. This allows an attacker to insert and execute arbitrary JavaScript, as the value of the "current url" parameter is embedded within an existing JavaScript in the response. No authentication is required to exploit this issue. Other parameters, such as image id, must be valid for successful exploitation.

Recommendations As a temporary workaround, consider restricting access to the "GalleryBox" action of admin-ajax.php until a patch is available. Avoid using the current url parameter in the affected AJAX call to the "GalleryBox" action until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.