CVE-2024-9878 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress. This vulnerability affects all versions up to and including 1.8.30. It stems from improper neutralization of input during web page generation, specifically within the plugin's admin settings interface. Authenticated attackers with administrator-level permissions or higher can inject arbitrary JavaScript code into the plugin's settings. Because the injected scripts are stored persistently, they execute whenever any user views the affected pages, potentially compromising user sessions or enabling further attacks such as privilege escalation or data theft. The vulnerability is limited to multisite WordPress installations or those where the unfiltered_html capability is disabled, which restricts the scope but still affects a significant subset of users. Exploitation requires high privileges (administrator or above), no user interaction is needed once the script is injected, and the attack surface is network accessible. The CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, high attack complexity, required privileges, no user interaction, scope change, and low impact on confidentiality and integrity, with no availability impact. No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly.

The primary impact of CVE-2024-9878 is the potential for authenticated administrators to inject malicious scripts that execute in the context of other users viewing the affected pages. This can lead to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of other users. Although exploitation requires administrator-level access, the vulnerability can facilitate privilege escalation or lateral movement within the WordPress environment. For multisite installations, the risk is amplified as multiple sites and users may be affected by a single injection. The vulnerability does not directly affect availability but can undermine the integrity and confidentiality of the affected systems. Organizations relying on this plugin in multisite configurations or with restricted HTML filtering are at risk of targeted attacks, especially if attackers have already compromised administrator credentials or can socially engineer access. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability is public.

To mitigate CVE-2024-9878, organizations should immediately update the Photo Gallery by 10Web plugin to a version that addresses this vulnerability once available. Until a patch is released, administrators should restrict access to the plugin’s settings page to only trusted users and monitor for suspicious activity. Enabling strict input validation and output escaping in custom plugin configurations can reduce risk. For multisite installations, consider isolating sites or limiting administrator privileges to reduce the attack surface. Additionally, enabling web application firewalls (WAFs) with rules targeting stored XSS patterns can help detect and block exploitation attempts. Regularly auditing user permissions and employing multi-factor authentication for administrator accounts will further reduce the risk of unauthorized access. Finally, monitoring logs for unusual script injections or unexpected changes in plugin settings can provide early warning of exploitation attempts.