CVE-2024-2744
📋 TL;DR
This vulnerability in the NextGEN Gallery WordPress plugin allows administrators to inject malicious scripts into plugin settings, which then execute in other users' browsers when they view affected pages. It affects WordPress sites using NextGEN Gallery versions before 3.59.1, even when unfiltered_html capability is disabled for users.
💻 Affected Systems
- NextGEN Gallery WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin access could inject persistent XSS payloads that steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Malicious administrators or compromised admin accounts could inject scripts that affect other users, potentially stealing their session data or performing unauthorized actions.
If Mitigated
With proper access controls and admin account security, the risk is limited to trusted administrators who would need to intentionally exploit the vulnerability.
🎯 Exploit Status
Exploitation requires administrator privileges. The vulnerability is in plugin settings that administrators can modify.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.59.1
Vendor Advisory: https://wpscan.com/vulnerability/a5579c15-50ba-4618-95e4-04b2033d721f/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find NextGEN Gallery and click 'Update Now'. 4. Alternatively, download version 3.59.1+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrator accounts to only trusted personnel and implement strong authentication controls.
Disable Plugin
linuxTemporarily disable NextGEN Gallery plugin until patched.
wp plugin deactivate nextgen-gallery
🧯 If You Can't Patch
- Implement strict access controls for administrator accounts and monitor admin activity
- Use web application firewall rules to block XSS payloads in plugin settings
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → NextGEN Gallery version. If version is below 3.59.1, you are vulnerable.Check Version:
wp plugin get nextgen-gallery --field=versionVerify Fix Applied:
After updating, verify NextGEN Gallery version is 3.59.1 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to NextGEN Gallery settings by admin users
- Multiple failed login attempts to admin accounts
Network Indicators:
- Suspicious JavaScript payloads in HTTP POST requests to wp-admin/admin.php?page=nggallery_settings
SIEM Query:
source="wordpress.log" AND ("nextgen-gallery" OR "nggallery") AND ("settings" OR "update") AND status=200