Login Sign Up

CVE-2024-9769

4.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This stored XSS vulnerability in the Video Gallery WordPress plugin allows authenticated administrators to inject malicious scripts into admin settings pages. The injected scripts execute when other users view those pages. Only affects WordPress multisite installations or sites where unfiltered_html capability is disabled.

💻 Affected Systems

Products:
  • Video Gallery – Best WordPress YouTube Gallery
Versions: All versions up to and including 2.4.1
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ✅ No
Notes: Only vulnerable on WordPress multisite installations OR installations where unfiltered_html capability is disabled for administrators.

📦 What is this software?

Video Gallery by Total Soft

View all CVEs affecting Video Gallery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full site takeover, data theft, or malware distribution to site visitors.

🟠

Likely Case

Privilege escalation where lower-privileged administrators can execute scripts with higher privileges, potentially stealing session cookies or performing unauthorized actions.

🟢

If Mitigated

Limited impact due to requiring administrator credentials and specific WordPress configurations.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires administrator credentials. Exploitation is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.2 or later

Vendor Advisory: https://wordpress.org/plugins/gallery-for-youtube/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Video Gallery – Best WordPress YouTube Gallery'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 2.4.2+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Video Gallery plugin until patched

wp plugin deactivate gallery-for-youtube

Enable unfiltered_html for admins

all

Enable unfiltered_html capability for administrator roles (not recommended for security)

Add define('DISALLOW_UNFILTERED_HTML', false); to wp-config.php

🧯 If You Can't Patch

  • Remove administrator access from untrusted users
  • Implement web application firewall rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Video Gallery version. If version is 2.4.1 or lower, you are vulnerable if using multisite or unfiltered_html disabled.

Check Version:

wp plugin get gallery-for-youtube --field=version

Verify Fix Applied:

Verify plugin version is 2.4.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /wp-admin/admin.php?page=video-gallery-settings
  • JavaScript payloads in plugin settings fields

Network Indicators:

  • Suspicious script tags in HTTP responses from admin pages

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin.php" AND uri_query="page=video-gallery-settings") AND (http_method="POST")

📊 Metadata

CVE ID: CVE-2024-9769
CVSS v3 Score: 4.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: December 6, 2024
Last Updated: July 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9769, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)