CVE-2023-6924 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin, affecting all versions up to and including 1.8.18. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied attributes in widgets. An attacker with authenticated access at administrator level or higher can inject arbitrary malicious scripts into pages. These scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of users. Notably, exploitation is also possible by users with contributor-level permissions if a page builder plugin is present, broadening the attack surface. The vulnerability does not require user interaction to trigger once the malicious script is injected, and it affects the confidentiality and integrity of data by enabling script execution in the context of the victim's browser. The CVSS v3.1 base score is 4.4 (medium severity), reflecting network attack vector, high attack complexity, high privileges required, no user interaction, and partial impact on confidentiality and integrity without affecting availability. There are no known exploits in the wild as of the publication date, and no official patches have been linked yet. The vulnerability is significant because WordPress is widely used across many European organizations, and plugins like 10Web Photo Gallery are popular for managing image content, making this a relevant threat vector for web-based attacks.

For European organizations, this vulnerability poses a risk primarily to websites and web applications using the affected 10Web Photo Gallery plugin. Successful exploitation can lead to unauthorized script execution, enabling attackers to steal session cookies, perform actions on behalf of legitimate users, or redirect users to malicious sites. This can result in data breaches, defacement, loss of customer trust, and regulatory non-compliance under GDPR if personal data is compromised. Since the vulnerability requires authenticated access with at least contributor privileges (or administrator privileges), insider threats or compromised user accounts can be leveraged to exploit this flaw. The impact is particularly critical for organizations relying on WordPress for public-facing websites, e-commerce platforms, or intranet portals where user trust and data integrity are paramount. Additionally, the stored nature of the XSS means the malicious payload persists and can affect multiple users over time, increasing the potential damage. Given the medium CVSS score, the threat is moderate but should not be underestimated, especially in sectors like finance, healthcare, and government where web integrity is crucial.

1. Immediate mitigation involves restricting plugin usage to trusted administrators and contributors only, minimizing the number of users with permissions that could exploit this vulnerability. 2. Disable or remove the 10Web Photo Gallery plugin until a security patch is released. 3. Monitor user accounts for suspicious activity, especially those with contributor or higher privileges, to detect potential exploitation attempts. 4. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the affected plugin’s widget parameters. 5. Employ Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of injected scripts. 6. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and themes to identify outdated or vulnerable components. 7. Once available, promptly apply official patches or updates from 10Web addressing this vulnerability. 8. Educate site administrators and content creators about the risks of XSS and safe content management practices, especially when using page builder plugins that may increase attack surface.