CVE-2024-6261
📋 TL;DR
This stored XSS vulnerability in the Final Tiles Grid WordPress gallery plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts via the plugin's shortcode. The scripts execute whenever users view affected pages, potentially compromising visitor browsers. All WordPress sites using this plugin up to version 3.6.0 are affected.
💻 Affected Systems
- Image Photo Gallery Final Tiles Grid WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, redirect users to malicious sites, deface websites, or install malware on visitor systems.
Likely Case
Attackers with contributor access inject malicious scripts that steal session cookies or redirect users to phishing pages.
If Mitigated
With proper user role management and content review, impact is limited to potential defacement of specific pages.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple via shortcode attribute manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3123808/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Image Photo Gallery Final Tiles Grid'. 4. Click 'Update Now' if available. 5. If manual update needed, download version 3.6.1+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Remove Contributor Shortcode Access
allRestrict contributor users from using the FinalTilesGallery shortcode via role management plugins or custom code.
Content Review Workflow
allRequire editor/admin approval for all posts/pages containing FinalTilesGallery shortcodes before publishing.
🧯 If You Can't Patch
- Disable the plugin completely if not essential
- Implement strict user role management to limit contributor access
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'Image Photo Gallery Final Tiles Grid' version 3.6.0 or lower.Check Version:
wp plugin list --name='final-tiles-grid-gallery-lite' --field=versionVerify Fix Applied:
Confirm plugin version is 3.6.1 or higher in WordPress admin plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode modifications in post/page revisions
- Multiple failed login attempts followed by contributor account access
Network Indicators:
- External script loads from unexpected domains on gallery pages
- Suspicious POST requests to wp-admin/post.php with shortcode parameters
SIEM Query:
source="wordpress" AND (event="post_updated" AND user_role="contributor" AND content CONTAINS "FinalTilesGallery")