1. What is this vulnerability and why does it matter?

This vulnerability, identified as CVE-2024-10704, affects the Photo Gallery by 10Web WordPress plugin. It is a Stored Cross-Site Scripting (XSS) vulnerability stemming from the plugin's failure to properly sanitize and escape some of its settings. This matters significantly because it allows high-privilege users, such as administrators, to inject malicious scripts into the website's settings. These scripts can then execute in the browsers of other users who view the affected content. A critical aspect is that this vulnerability can be exploited even when the unfiltered_ capability is disallowed, which is a common security measure, especially in multisite WordPress installations. This bypass makes the flaw more severe than typical XSS vulnerabilities that rely on this capability.

2. What are the CVSS score, severity level, and disclosure details?

The CVSS score for this vulnerability is 4.8. Based on this score, the severity level is classified as Medium. The vulnerability was publicly disclosed and published on 2024-11-29 at 06:00:07 UTC, and it was last modified on 2024-11-29 at 14:51:23 UTC.

3. Which products, vendors, systems, and versions are affected?

• Vendor: 10Web
• Product: Photo Gallery by 10Web WordPress plugin
• System: WordPress
• Affected Versions: All versions of the Photo Gallery by 10Web WordPress plugin prior to 1.8.31 are affected.

4. What is the technical root cause and attack vector?

The technical root cause of this vulnerability is improper neutralization of input during web page generation, specifically a lack of sanitization and escaping of some plugin settings. This falls under CWE-79, a common vulnerability class for Cross-site Scripting. The attack vector involves a high-privilege user (e.g., an administrator) saving unsanitized input into the plugin's settings. When this input is later rendered by the plugin on a web page, the malicious script embedded within it is executed in the unsuspecting user's browser.

5. How can this vulnerability be exploited?

This vulnerability can be exploited by an attacker who has obtained or compromised the credentials of a high-privilege user (such as an administrator) on a WordPress site running the vulnerable Photo Gallery by 10Web plugin. The attacker can then navigate to the plugin's settings interface and inject malicious JavaScript code into one of the unsanitized fields. Once this malicious content is saved, any other user who subsequently views a page or section of the website where these compromised settings are displayed will have the injected script execute in their web browser, leading to potential session hijacking, data theft, or defacement. The key enabler is the plugin's failure to sanitize and escape user-supplied input before rendering it.

6. What mitigation steps and patches are available?

The primary mitigation step is to update the Photo Gallery by 10Web WordPress plugin to a patched version. Users should upgrade their plugin to version 1.8.31 or later to remediate this vulnerability. Regularly updating all plugins, themes, and the WordPress core to their latest versions is a general best practice to prevent exploitation of known vulnerabilities.

7. How can vulnerable systems be detected?

Vulnerable systems can be detected by identifying the installed version of the Photo Gallery by 10Web WordPress plugin. If the installed version is earlier than 1.8.31, the system is considered vulnerable. Administrators can check the plugin version through the WordPress admin dashboard, typically in the 'Plugins' section.

10. What public intelligence references and advisories exist?

The primary public intelligence reference for this vulnerability is its Common Vulnerabilities and Exposures (CVE) identifier: CVE-2024-10704. Details and advisories would typically be available on the National Vulnerability Database (NVD) maintained by NIST, as well as potentially from the vendor (10Web) or general WordPress security advisories.

11. What is the risk assessment and urgency level?

Given a CVSS score of 4.8, this vulnerability is assessed as having a Medium risk level. The urgency level for patching is moderate to high, particularly for websites where multiple administrators or users with high privileges exist, or in WordPress multisite environments where the unfiltered_ capability is disabled. While exploitation requires prior high-privilege access, the ability to bypass a common security control and affect other users, including potentially other administrators, makes timely patching critical to prevent Stored XSS attacks.