CVE-2024-8670: 
WordPress vulnerability analysis and mitigation

The Photo Gallery by 10Web WordPress plugin vulnerability (CVE-2024-8670) was discovered by Dmitrii Ignatyev and publicly disclosed on August 6, 2024. This security flaw affects versions before 1.8.29 of the plugin, specifically impacting WordPress installations, including multisite setups. The vulnerability is related to improper sanitization and escaping of certain plugin settings (WPScan, Wiz).

The vulnerability stems from insufficient sanitization and escaping of specific settings within the plugin, enabling high-privilege users such as administrators to execute Stored Cross-Site Scripting (XSS) attacks, even in environments where the unfiltered_html capability is explicitly disallowed. The vulnerability has been assigned a CVSS v3.1 score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows privileged users to inject and store malicious JavaScript code in the application's database. The stored XSS can potentially affect other users who access the affected gallery pages, leading to client-side attacks when users interact with the compromised content (Wiz).

The vulnerability has been patched in version 1.8.29 of the Photo Gallery by 10Web plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan, Wiz).