First published: Mon Aug 16 2021(Updated: )
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
10web Photo Gallery | <1.5.75 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-24362 is a vulnerability in the Photo Gallery WordPress plugin before 1.5.75 that allows users to upload SVG files containing malicious JavaScript code.
CVE-2021-24362 allows users to upload SVG files with malicious code, which can potentially execute arbitrary JavaScript on the website.
CVE-2021-24362 has a severity level of 6.1 (medium).
To fix CVE-2021-24362, users should update the Photo Gallery WordPress plugin to version 1.5.75 or higher.
CWE-79 is a common weakness that refers to Cross-Site Scripting (XSS) vulnerabilities.