CVE-2024-12114

Name of the Vulnerable Software and Affected Versions FooGallery – Responsive Photo Gallery plugin versions prior to 2.4.30

Description The issue allows authenticated attackers with granted access and above to update arbitrary post and page content due to missing validation on a user-controlled key (img id) in the foogallery attachment modal save AJAX action. This requires the Gallery Creator Role setting to be a value lower than 'Editor' for there to be any real impact.

Recommendations For versions prior to 2.4.30, update to version 2.4.30 or later to resolve the issue. As a temporary workaround, consider setting the Gallery Creator Role to 'Editor' or higher to minimize the risk of exploitation. Restrict access to the foogallery attachment modal save AJAX action to prevent unauthorized updates to post and page content.