CVE-2021-24362

Photo Gallery <= 1.5.74 - Stored Cross-Site Scripting via Uploaded SVG

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1

CVSS Score

6.1

CVSS Score

medium

Severity

1.5.75

Patched in

919d

Time to patch

Description

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Low

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<1.5.75

PublishedJuly 18, 2021

Last updatedJanuary 22, 2024

Affected pluginphoto-gallery

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/835f553b-9c43-47f2-aecf-61c9397e6b5b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database