CVE-2024-5162

Name of the Vulnerable Software and Affected Versions WordPress prettyPhoto plugin for WordPress version 1.2.3 and earlier

Description The WordPress prettyPhoto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Recommendations For WordPress prettyPhoto plugin for WordPress version 1.2.3 and earlier, consider disabling the url parameter until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of arbitrary web script injection. Update to a version that fixes the insufficient input sanitization and output escaping issue when available.