CVE-2024-6393
📋 TL;DR
This vulnerability allows administrators in WordPress multisite installations to inject malicious scripts into image settings, which then execute when other users view those settings. It affects WordPress sites using the Photo Gallery, Sliders, Proofing plugin before version 3.59.5, particularly in environments where unfiltered_html capability is restricted.
💻 Affected Systems
- Photo Gallery, Sliders, Proofing WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Administrator could inject persistent XSS payloads that steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users across the entire multisite network.
Likely Case
Malicious admin injects tracking scripts or defaces parts of the site visible to other administrators, but limited to authenticated users viewing the affected settings pages.
If Mitigated
With proper admin vetting and monitoring, impact is minimal as it requires high-privilege access and only affects users viewing specific plugin settings.
🎯 Exploit Status
Exploitation requires administrator-level access. Attack would be trivial for a malicious admin but impossible for unauthenticated users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.59.5
Vendor Advisory: https://wpscan.com/vulnerability/126d1dd7-d332-47c8-ad25-5fbe211313b0/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Photo Gallery, Sliders, Proofing' plugin. 4. Click 'Update Now' if available. 5. If manual update needed, download version 3.59.5+ from WordPress.org, deactivate old version, upload new version, then activate.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate photo-gallery-sliders-proofing
Restrict Admin Access
allTemporarily remove admin privileges from untrusted users
wp user remove-role <username> administrator
wp user add-role <username> editor
🧯 If You Can't Patch
- Remove the plugin entirely if not essential
- Implement strict monitoring of admin user activities and plugin settings changes
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is below 3.59.5, you are vulnerable.Check Version:
wp plugin get photo-gallery-sliders-proofing --field=versionVerify Fix Applied:
Confirm plugin version shows 3.59.5 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to plugin settings by admin users
- JavaScript payloads in plugin option values in database
Network Indicators:
- Unexpected external script loads from plugin settings pages
SIEM Query:
source="wordpress" AND (event="plugin_updated" AND plugin_name="photo-gallery-sliders-proofing" AND version<"3.59.5") OR (event="option_update" AND option_name LIKE "%photo_gallery%")