CVE-2024-29808

CVSS V2 None CVSS V3 None

Description

The image_id parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_id parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue.

Overview

CVE ID
CVE-2024-29808

Assigner
AppCheck

Vulnerability Status
PUBLISHED

Published Version
2024-03-26T15:26:34.537Z

Last Modified Date
2024-03-26T15:26:34.537Z

Weakness Enumerations

CWE	URL
CWE-79	http://cwe.mitre.org/data/definitions/79.html

References

Reference URL	Reference Tags
https://appcheck-ng.com/xss-vulnerabilities-discovered-10web-photogallery-wordpress-plugin/
https://wordpress.org/plugins/photo-gallery/#developers

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-29808
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29808

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 02:25:36				Added to TrackCVE