CVE-2021-24310
Photo Gallery < 1.5.67 - Authenticated Stored Cross-Site Scripting via Gallery Title
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1.5.67 did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload in it, which will be triggered when another user will view the gallery list or the affected gallery in the admin dashboard. This is due to an incomplete fix of CVE-2019-16117
El plugin de WordPress Photo Gallery by 10Web - Mobile-Friendly Image Gallery versiones anteriores a 1.5.67, no saneaba apropiadamente el título de la galería, permitiendo a usuarios muy privilegiados crear uno con carga útil de tipo XSS, el cual se desencadenará cuando otro usuario visualice la lista de la galería o la galería afectada en el panel de administración. Esto es debido a una correción incompleta de CVE-2019-16117
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-14 CVE Reserved
- 2021-05-12 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/f34096ec-b1b0-471d-88a4-4699178a3165 | 2024-08-03 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| 10web Search vendor "10web" | Photo Gallery Search vendor "10web" for product "Photo Gallery" | < 1.5.67 Search vendor "10web" for product "Photo Gallery" and version " < 1.5.67" | wordpress |
Affected
| ||||||