Login Sign Up

CVE-2024-39631

7.1 HIGH
Cross-Site Scripting

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in the WordPress Contest Gallery plugin allows attackers to inject malicious scripts into web pages. When users view pages containing the malicious content, the scripts execute in their browsers, potentially stealing session cookies or performing actions on their behalf. All WordPress sites using vulnerable versions of Contest Gallery are affected.

💻 Affected Systems

Products:
  • WordPress Contest Gallery Plugin
Versions: All versions up to and including 23.1.2
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the Contest Gallery plugin to be installed and active on a WordPress site.

📦 What is this software?

Contest Gallery by Contest Gallery

View all CVEs affecting Contest Gallery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over WordPress sites, deface websites, install backdoors, or redirect visitors to malicious sites.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies, potentially compromising user accounts and performing unauthorized actions.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before reaching users' browsers.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires contributor-level access or higher to inject malicious scripts into gallery content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 23.1.3 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/contest-gallery/wordpress-contest-gallery-plugin-23-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Contest Gallery and click 'Update Now'. 4. Verify update completes successfully.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the Contest Gallery plugin until patched

wp plugin deactivate contest-gallery

Restrict User Roles

all

Limit gallery editing to trusted administrators only

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block XSS payloads
  • Enable Content Security Policy (CSP) headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Contest Gallery version

Check Version:

wp plugin list --name=contest-gallery --field=version

Verify Fix Applied:

Verify Contest Gallery version is 23.1.3 or higher in WordPress plugins list

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to gallery submission endpoints
  • JavaScript payloads in gallery content fields

Network Indicators:

  • Malicious script tags in HTTP requests to gallery endpoints

SIEM Query:

source="wordpress.log" AND "contest-gallery" AND ("script" OR "javascript" OR "onerror" OR "onload")

📊 Metadata

CVE ID: CVE-2024-39631
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
Published: August 1, 2024
Last Updated: September 11, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39631, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)