CVE-2024-5426

Name of the Vulnerable Software and Affected Versions: The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress versions up to, and including, 1.8.23

Description: The issue is related to Stored Cross-Site Scripting via the svg parameter due to insufficient input sanitization and output escaping. This allows authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, exploitation is limited to administrators, but contributors on pro versions of the plugin may also be able to exploit this issue if they have been granted the ability to use and configure Photo Gallery.

Recommendations: For versions up to, and including, 1.8.23, update to a version later than 1.8.23 to resolve the issue. As a temporary workaround, consider restricting access to the svg parameter to minimize the risk of exploitation. Additionally, limiting the ability to use and configure Photo Gallery to only trusted administrators can help reduce the attack surface.