CVE-2024-6629 – This stored XSS vulnerability in the All-in-One... (How to Fix)

📋 TL;DR

This stored XSS vulnerability in the All-in-One Video Gallery WordPress plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages via video shortcodes. When users visit pages containing these injected scripts, arbitrary code executes in their browsers. All WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:

All-in-One Video Gallery WordPress Plugin

Versions: All versions up to and including 3.7.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated attacker with at least contributor-level WordPress permissions

📦 What is this software?

All In One Video Gallery by Plugins360

View all CVEs affecting All In One Video Gallery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.

🟠

Likely Case

Attackers with contributor accounts inject malicious scripts to steal user session cookies or perform phishing attacks against site visitors.

🟢

If Mitigated

With proper user access controls and content filtering, impact is limited to potential defacement of specific pages.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires contributor-level WordPress account; technical details and proof-of-concept are publicly available in the references

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.2

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3123171/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'All-in-One Video Gallery'
4. Click 'Update Now' if available
5. If no update appears, manually download version 3.7.2+ from WordPress.org
6. Deactivate old plugin, upload new version, activate

🔧 Temporary Workarounds

Remove Contributor XSS Capability

all

Temporarily restrict contributor users from posting unfiltered HTML

Add to wp-config.php: define('DISALLOW_UNFILTERED_HTML', true);

Disable Plugin

linux

Deactivate vulnerable plugin until patched

wp plugin deactivate all-in-one-video-gallery

🧯 If You Can't Patch

Review and audit all contributor-level user accounts; remove unnecessary accounts
Implement web application firewall (WAF) rules to block XSS payloads in POST requests

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → All-in-One Video Gallery → Version. If version is 3.7.1 or lower, you are vulnerable.

Check Version:

wp plugin get all-in-one-video-gallery --field=version

Verify Fix Applied:

After update, confirm plugin version shows 3.7.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to wp-admin with script tags in parameters
Multiple failed login attempts followed by successful contributor login

Network Indicators:

Outbound connections to unknown domains after visiting specific pages
Unexpected JavaScript execution in browser developer tools

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/*" AND (param="*<script>*" OR param="*javascript:*"))

📊 Metadata

CVE ID: CVE-2024-6629

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: July 24, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6629, you might also want to check these: