CVE-2024-9878 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2024-9878?

CVE-2024-9878 has a CVSS score of 4.4 (MEDIUM). This vulnerability allows authenticated attackers with administrator-level permissions to inject malicious scripts into WordPress admin settings pages. The injected scripts execute whenever users access affected pages, potentially compromising user sessions or performing unauthorized actions. Only affects WordPress multi-site installations and installations where unfiltered_html capability is disabled.

📋 TL;DR

This vulnerability allows authenticated attackers with administrator-level permissions to inject malicious scripts into WordPress admin settings pages. The injected scripts execute whenever users access affected pages, potentially compromising user sessions or performing unauthorized actions. Only affects WordPress multi-site installations and installations where unfiltered_html capability is disabled.

💻 Affected Systems

Products:

Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin

Versions: All versions up to and including 1.8.30

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ✅ No

Notes: Only vulnerable in WordPress multi-site installations OR installations where unfiltered_html capability is disabled for administrators.

📦 What is this software?

Photo Gallery by 10web

View all CVEs affecting Photo Gallery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full site takeover, data theft, or malware distribution to site visitors.

🟠

Likely Case

Session hijacking of other administrators, defacement of admin pages, or credential theft via phishing.

🟢

If Mitigated

Limited impact due to requiring admin credentials and specific configuration conditions.

🌐 Internet-Facing: MEDIUM - WordPress sites are typically internet-facing, but exploitation requires admin access and specific configurations.

🏢 Internal Only: LOW - Primarily affects internet-facing WordPress installations.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator credentials. Public proof-of-concept exists on Packet Storm Security.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.31 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3180567%40photo-gallery%2Ftrunk&old=3171538%40photo-gallery%2Ftrunk&sfp_email=&sfph_mail=#file12

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Photo Gallery by 10Web'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.8.31+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Photo Gallery plugin until patched

wp plugin deactivate photo-gallery

Enable unfiltered_html for admins

all

Enable unfiltered_html capability for administrator roles (makes vulnerability inactive per CVE description)

Add define('DISALLOW_UNFILTERED_HTML', false); to wp-config.php

🧯 If You Can't Patch

Remove administrator access from untrusted users
Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Photo Gallery by 10Web. If version is 1.8.30 or lower, you are vulnerable if using multi-site OR unfiltered_html is disabled.

Check Version:

wp plugin get photo-gallery --field=version

Verify Fix Applied:

Verify plugin version is 1.8.31 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual admin user activity, suspicious POST requests to photo gallery settings pages
JavaScript payloads in admin area logs

Network Indicators:

Unexpected script tags in HTTP responses from gallery pages
External script loads from gallery admin pages

SIEM Query:

source="wordpress.log" AND ("photo-gallery" OR "bwg") AND ("script" OR "onload" OR "onerror" OR "javascript:")

📊 Metadata

CVE ID: CVE-2024-9878

CVSS v3 Score: 4.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: November 5, 2024

Last Updated: November 8, 2024

🔗 References

https://packetstormsecurity.com/files/179357/WordPress-Photo-Gallery-1.8.26-Cross-Site-Scripting.html Exploit,Third Party Advisory,VDB Entry
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3180567%40photo-gallery%2Ftrunk&old=3171538%40photo-gallery%2Ftrunk&sfp_email=&sfph_mail=#file12 Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/bfa1192b-34f5-4b71-8fff-14f2d4ac4aca?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9878, you might also want to check these: