CVE-2024-10704: 
WordPress vulnerability analysis and mitigation

The Photo Gallery by 10Web WordPress plugin versions before 1.8.31 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on November 8, 2024, and was assigned CVE-2024-10704. The issue affects the plugin's settings functionality, specifically impacting WordPress installations including multisite setups (WPScan, NVD).

The vulnerability stems from insufficient sanitization and escaping of certain plugin settings. The issue has received a CVSS 3.1 Base Score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability specifically affects the Gallery Title field, where unsanitized input can lead to stored XSS execution (WPScan).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed. This is particularly concerning in multisite WordPress installations where such restrictions are commonly implemented (WPScan).

The vulnerability has been patched in version 1.8.31 of the Photo Gallery by 10Web WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).