CVE-2024-5426
Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.23 - Authenticated (Contributor+) Stored Cross-Site Scripting via Zipped SVGThe Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘svg’ parameter in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure Photo Gallery can be extended to contributors on pro versions of the plugin.
We have discovered 49,787 live websites that are affected by CVE-2024-5426.
Affected Software
| Product |  Photo Gallery by 10Web |
| Category | Wordpress Plugins |
| Vulnerable Domains | 49,787 live websites (47.43% of Photo Gallery by 10Web install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 332 versions ( 53.98% of all versions) |
Details
- Published - Jun 7, 2024
- Updated - Aug 1, 2024
Credits
- Tobias Weißhaar (finder)
CVE References
CVE-2024-5426 usage by Country
 United States | 13,365 websites |
 Germany | 6,290 websites |
 France | 2,910 websites |
 Poland | 2,555 websites |
 Russia | 2,370 websites |
 GB | 1,827 websites |
 Netherlands | 1,411 websites |
 Italy | 1,393 websites |
 Japan | 1,059 websites |
 Hungary | 851 websites |
CVE-2024-5426 usage by TLD
| .com | 17,975 websites |
| .de | 3,324 websites |
| .org | 2,631 websites |
| .pl | 1,998 websites |
| .ru | 1,965 websites |
| .nl | 1,316 websites |
| .co.uk | 1,191 websites |
| .it | 1,129 websites |
| .net | 1,048 websites |
| .fr | 975 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-5426
Top websites that are affected by CVE-2024-5426. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.kz |  Kazakhstan | **,*** | |
| ******.name | France | **,*** | |
| ************.ru | Russia | **,*** | |
| ***********.org | United States | **,*** | |
| **********.**.uk | United States | **,*** | |
| ****************.org | United States | **,*** | |
| ********.cz |  Czech Republic | **,*** | |
| ***.***.ph |  Philippines | **,*** | |
| ***.org | United States | **,*** | |
| ******************.org | United States | **,*** |
FAQ
A total of 49,787 websites have been identified as vulnerable to CVE-2024-5426, discovered through global website indexing conducted by WebTechSurvey.
Photo Gallery by 10Web is susceptible to CVE-2024-5426 vulnerability.
Photo Gallery by 10Web versions before, and including, 1.8.23 are vulnerable to CVE-2024-5426.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/13436238-f14a-445b-9a9b-fbcf23b7b498?source=cve
- https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/UploadHandler.php#L521
- https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/UploadHandler.php#L542
- https://plugins.trac.wordpress.org/changeset/3098798/