CVE-2024-12119 is a stored cross-site scripting vulnerability identified in the FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress, maintained by bradvin. The vulnerability exists in all versions up to and including 2.4.29 and is caused by insufficient sanitization and escaping of the default_gallery_title_size parameter during web page generation. This parameter is used to set the gallery title size, but due to improper neutralization of input, an authenticated attacker with gallery or album creator roles can inject arbitrary JavaScript code. When other users access the pages containing the injected scripts, the malicious code executes in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability requires the attacker to have authenticated access with specific roles, but does not require user interaction to trigger the payload once the page is loaded. The CVSS v3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to impact on other users. No public exploits are currently known, but the vulnerability is publicly disclosed and enriched by CISA. The lack of official patches at the time of disclosure necessitates immediate mitigation steps by administrators.

The primary impact of this vulnerability is the compromise of confidentiality and integrity within affected WordPress sites using the FooGallery plugin. Attackers with gallery or album creator roles can inject persistent malicious scripts that execute in the browsers of other users, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of victims. This can lead to account takeover, data leakage, and reputational damage for organizations. Since the vulnerability requires authenticated access, the risk is somewhat limited to environments where such roles are assigned to potentially untrusted users or where credential compromise is possible. However, given the widespread use of WordPress and the popularity of FooGallery for managing image galleries, a large number of websites globally could be affected. The vulnerability does not directly impact availability but can facilitate further attacks that degrade service or compromise site integrity.

Administrators should immediately restrict gallery and album creator roles to trusted users only and audit existing users for unnecessary privileges. Until an official patch is released, implement web application firewall (WAF) rules to detect and block suspicious input patterns targeting the default_gallery_title_size parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly monitor logs for unusual activity related to gallery management functions. Consider disabling or replacing the FooGallery plugin if immediate patching is not feasible. Once a patch is available, apply it promptly. Additionally, educate users with elevated roles about the risks of injecting untrusted content and enforce strong authentication mechanisms to reduce the risk of compromised credentials.