CVE-2024-35628 – This CVE describes a Missing Authorization vuln... (How to Fix)

Q: What is the severity of CVE-2024-35628?

CVE-2024-35628 has a CVSS score of 4.3 (MEDIUM). This CVE describes a Missing Authorization vulnerability in the Photo Gallery by 10Web WordPress plugin. It allows unauthorized users to perform actions that should require authentication, affecting all WordPress sites using vulnerable versions of this plugin. The vulnerability stems from improper access controls in the plugin's functionality.

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the Photo Gallery by 10Web WordPress plugin. It allows unauthorized users to perform actions that should require authentication, affecting all WordPress sites using vulnerable versions of this plugin. The vulnerability stems from improper access controls in the plugin's functionality.

💻 Affected Systems

Products:

Photo Gallery by 10Web WordPress Plugin

Versions: All versions up to and including 1.8.25

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations using vulnerable plugin versions regardless of configuration.

📦 What is this software?

Photo Gallery by 10web

View all CVEs affecting Photo Gallery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated attackers could modify gallery content, delete images, or potentially escalate privileges to gain administrative access to the WordPress site.

🟠

Likely Case

Unauthorized users could view or modify photo gallery content they shouldn't have access to, potentially defacing websites or accessing private images.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact would be limited to the specific WordPress instance, preventing lateral movement.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Missing authorization vulnerabilities typically require minimal technical skill to exploit once the attack vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.26 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/photo-gallery/wordpress-photo-gallery-by-10web-plugin-1-8-23-broken-access-control-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Photo Gallery by 10Web'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.8.26+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate photo-gallery

Restrict Access

all

Use web application firewall rules to restrict access to plugin endpoints

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the WordPress admin interface
Enable WordPress security plugins that monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Photo Gallery by 10Web version number

Check Version:

wp plugin get photo-gallery --field=version

Verify Fix Applied:

Confirm plugin version is 1.8.26 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to /wp-admin/admin-ajax.php with photo-gallery actions
Multiple failed authentication attempts followed by successful gallery modifications

Network Indicators:

Unusual traffic patterns to photo gallery endpoints from unauthenticated sources

SIEM Query:

source="wordpress.log" AND "photo-gallery" AND ("admin-ajax" OR "wp-admin") AND status=200 AND user="-"

📊 Metadata

CVE ID: CVE-2024-35628

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: June 11, 2024

Last Updated: March 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35628, you might also want to check these: