CVE-2024-9778: 
WordPress vulnerability analysis and mitigation

The ImagePress – Image Gallery plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 1.2.2. The vulnerability was discovered and disclosed on October 11, 2024, and is tracked as CVE-2024-9778. The issue affects the 'imagepressadminpage' function due to missing or incorrect nonce validation (NVD).

The vulnerability stems from improper security controls in the 'imagepressadminpage' function, specifically the lack of proper nonce validation. This security weakness has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-352: Cross-Site Request Forgery (NVD).

When exploited, this vulnerability allows unauthenticated attackers to update plugin settings, including redirection URLs, through forged requests. The attack requires user interaction, as the attacker must trick a site administrator into performing specific actions, such as clicking on a malicious link (NVD).

Users should update to version 1.3.0 or later of the ImagePress – Image Gallery plugin to address this vulnerability. A patch has been released and is available through the WordPress plugin repository (WordPress Patch).