CVE-2024-12114
📋 TL;DR
This vulnerability in the FooGallery WordPress plugin allows authenticated attackers with gallery creator access or higher to modify arbitrary posts and pages via an insecure direct object reference flaw. It affects all versions up to 2.4.29 when the Gallery Creator Role is set below 'Editor' level. Attackers can exploit this to deface websites or inject malicious content.
💻 Affected Systems
- FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel for WordPress
📦 What is this software?
Foogallery by Fooplugins
⚠️ Risk & Real-World Impact
Worst Case
Attackers could deface entire websites, inject malicious scripts, or modify critical content across all posts and pages, potentially leading to credential theft or malware distribution.
Likely Case
Limited content modification by authenticated users with gallery permissions, resulting in defaced pages or injected advertisements/links.
If Mitigated
No impact if Gallery Creator Role is set to 'Editor' or higher, or if the plugin is patched/disabled.
🎯 Exploit Status
Exploitation requires authenticated access with gallery creator role or higher. The vulnerability is in the foogallery_attachment_modal_save AJAX action via the img_id parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.30
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3250684/foogallery/tags/2.4.30/includes/admin/class-gallery-attachment-modal.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find FooGallery and click 'Update Now'. 4. Verify version is 2.4.30 or higher.
🔧 Temporary Workarounds
Restrict Gallery Creator Role
allSet Gallery Creator Role to 'Editor' or higher in plugin settings to prevent exploitation.
Disable Vulnerable AJAX Action
linuxRemove or restrict access to the foogallery_attachment_modal_save AJAX endpoint via .htaccess or security plugin.
# Add to .htaccess:
<Files "admin-ajax.php">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
🧯 If You Can't Patch
- Set Gallery Creator Role to 'Editor' or higher in plugin settings.
- Temporarily disable the FooGallery plugin until patching is possible.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for FooGallery version. If version is 2.4.29 or lower, the site is vulnerable.Check Version:
wp plugin list --name=foogallery --field=versionVerify Fix Applied:
Confirm FooGallery version is 2.4.30 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=foogallery_attachment_modal_save
- Multiple post/page modifications by users with gallery roles
Network Indicators:
- HTTP POST requests containing 'img_id' parameter to admin-ajax.php endpoint
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="foogallery_attachment_modal_save"🔗 References
- https://github.com/fooplugins/foogallery/blob/master/includes/admin/class-gallery-attachment-modal.php#L242
- https://plugins.trac.wordpress.org/changeset/3250684/foogallery/tags/2.4.30/includes/admin/class-gallery-attachment-modal.php?old=3229839&old_path=foogallery%2Ftags%2F2.4.29%2Fincludes%2Fadmin%2Fclass-gallery-attachment-modal.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fe3ad9-247f-4e5d-8c79-0970afaa7729?source=cve
