CVE-2024-5426 is a stored cross-site scripting (XSS) vulnerability identified in the Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress, affecting all versions up to and including 1.8.23. The vulnerability stems from improper neutralization of input during web page generation, specifically inadequate sanitization and output escaping of the 'svg' parameter. This flaw allows authenticated attackers—administrators by default, and contributors in pro versions—to inject arbitrary JavaScript code into pages managed by the plugin. When any user accesses a page containing the injected script, the malicious code executes in their browser context. This can lead to various attack scenarios including session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, or defacement of the website. The vulnerability requires authentication but no user interaction beyond visiting the infected page. The CVSS v3.1 base score is 6.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required. The scope is changed due to potential impact on other users viewing the injected content. No public exploits or active exploitation have been reported yet. The plugin’s widespread use in WordPress sites, especially those relying on image galleries, makes this a significant concern for website administrators. The lack of a patch link suggests that remediation may require updates from the vendor or manual mitigation steps.

The impact of CVE-2024-5426 is primarily on the confidentiality and integrity of affected websites and their users. Successful exploitation allows attackers to execute arbitrary scripts in the context of the vulnerable site, potentially leading to session hijacking, credential theft, unauthorized actions, or distribution of malware. This can damage the reputation of organizations, lead to data breaches, and compromise user trust. Since the vulnerability requires authenticated access, the risk is somewhat mitigated but remains significant in environments where multiple users have elevated privileges or where contributor roles are extended in pro versions. The scope of impact includes all visitors to the compromised pages, increasing the potential damage. Organizations relying on the affected plugin for public-facing galleries or internal portals may face defacement or data leakage. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability is public. Overall, the vulnerability poses a moderate risk to organizations globally, especially those with high WordPress usage and reliance on this plugin.

1. Immediately update the Photo Gallery by 10Web plugin to a fixed version once released by the vendor. Monitor official 10Web channels for patch announcements. 2. Until a patch is available, restrict plugin usage to trusted administrators only and disable contributor or lower privilege access to the plugin features, especially in pro versions. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'svg' parameter, focusing on script injection patterns. 4. Conduct regular security audits and code reviews of customizations involving the plugin to identify and sanitize any user inputs. 5. Educate administrators and contributors about the risks of injecting untrusted content and enforce strict content policies. 6. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 7. Monitor website logs and user reports for signs of XSS exploitation or unusual behavior. 8. Consider temporarily disabling the plugin if it is not critical to operations until a secure version is deployed.