CVE-2024-5162 – The WordPress prettyPhoto plugin up to version ... (How to Fix)

Q: What is the severity of CVE-2024-5162?

CVE-2024-5162 has a CVSS score of 6.4 (MEDIUM). The WordPress prettyPhoto plugin up to version 1.2.3 has a stored cross-site scripting vulnerability in the 'url' parameter. Authenticated attackers with Contributor access or higher can inject malicious scripts that execute when users view compromised pages. This affects all WordPress sites using vulnerable versions of the plugin.

📋 TL;DR

The WordPress prettyPhoto plugin up to version 1.2.3 has a stored cross-site scripting vulnerability in the 'url' parameter. Authenticated attackers with Contributor access or higher can inject malicious scripts that execute when users view compromised pages. This affects all WordPress sites using vulnerable versions of the plugin.

💻 Affected Systems

Products:

WordPress prettyPhoto plugin

Versions: All versions up to and including 1.2.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the prettyPhoto plugin enabled. Contributor-level authentication or higher is needed for exploitation.

📦 What is this software?

Prettyphoto by Master Addons

View all CVEs affecting Prettyphoto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.

🟠

Likely Case

Attackers inject malicious scripts to steal user session cookies, perform phishing attacks, or display unwanted advertisements.

🟢

If Mitigated

With proper input validation and output escaping, the vulnerability would be prevented, and only sanitized data would be displayed to users.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.4 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/prettyphoto/trunk/addon/jltma-wpf-addon.php#L96

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'prettyPhoto' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.2.4+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable prettyPhoto plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate prettyphoto

Restrict user roles

all

Limit Contributor and higher role assignments to trusted users only

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in URL parameters
Regularly audit user accounts and remove unnecessary Contributor+ privileges

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for prettyPhoto version 1.2.3 or earlier

Check Version:

wp plugin list --name=prettyphoto --field=version

Verify Fix Applied:

Confirm prettyPhoto plugin version is 1.2.4 or later in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to prettyPhoto plugin endpoints with script tags in parameters
Multiple failed login attempts followed by successful Contributor+ login

Network Indicators:

HTTP requests containing <script> tags in URL parameters to prettyPhoto endpoints

SIEM Query:

source="wordpress.log" AND ("prettyphoto" AND ("<script>" OR "javascript:"))

📊 Metadata

CVE ID: CVE-2024-5162

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: June 6, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5162, you might also want to check these: