CVE-2024-2296: 
WordPress vulnerability analysis and mitigation

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-2296) affecting all versions up to and including 1.8.21. The vulnerability was discovered and disclosed in March 2024, impacting WordPress installations with multi-site configurations or where unfiltered_html has been disabled (CVE Details).

The vulnerability stems from insufficient input sanitization and output escaping specifically related to SVG file uploads. This security issue allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page. The vulnerability has been assigned a CVSS v3.1 score of 5.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, the vulnerability allows attackers to inject malicious web scripts that execute in users' browsers when they visit affected pages. This could potentially lead to unauthorized data access or manipulation of the website's content. The impact is limited to multi-site installations and installations where unfilteredhtml has been disabled ([WordPress Changelog](https://plugins.trac.wordpress.org/changeset?sfpemail=&sfphmail=&reponame=&old=3058445%40photo-gallery&new=3058445%40photo-gallery&sfpemail=&sfph_mail=)).

The vulnerability has been patched in version 1.8.22 of the Photo Gallery by 10Web plugin. The update includes fixes for SVG sanitization and improved file upload argument validation. Users are advised to update to the latest version immediately (WordPress Changelog).