CVE-2021-24310

Published: Jun 1, 2021Modified: Nov 21, 2024

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1.5.67 did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload in it, which will be triggered when another user will view the gallery list or the affected gallery in the admin dashboard. This is due to an incomplete fix of CVE-2019-16117

Affected (1)

Products: 10web: Photo Gallery

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
10web Photo Gallery	Before 1.5.67

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://wpscan.com/vulnerability/f34096ec-b1b0-471d-88a4-4699178a3165

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/f34096ec-b1b0-471d-88a4-4699178a3165

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.