CVE-2021-24362: XSS
First published: Mon Aug 16 2021(Updated: )
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| 10web Photo Gallery | <1.5.75 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-24362?
CVE-2021-24362 is a vulnerability in the Photo Gallery WordPress plugin before 1.5.75 that allows users to upload SVG files containing malicious JavaScript code.
How does CVE-2021-24362 impact users?
CVE-2021-24362 allows users to upload SVG files with malicious code, which can potentially execute arbitrary JavaScript on the website.
What is the severity of CVE-2021-24362?
CVE-2021-24362 has a severity level of 6.1 (medium).
How can I fix CVE-2021-24362?
To fix CVE-2021-24362, users should update the Photo Gallery WordPress plugin to version 1.5.75 or higher.
What is CWE-79?
CWE-79 is a common weakness that refers to Cross-Site Scripting (XSS) vulnerabilities.
- collector/nvd-index
- vendor/10web
- canonical/10web photo gallery