CVE-2024-10034 in Gallery Blocks with Lightbox. Image Gallery
Summary
by MITRE • 11/22/2024
The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the gallery link text parameter in all versions up to, and including, 3.2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/23/2025
The vulnerability identified as CVE-2024-10034 affects the Gallery Blocks with Lightbox plugin for WordPress, specifically targeting versions up to and including 3.2.4.2. This plugin provides functionality for creating image galleries with lightbox effects as well as HTML5 video and YouTube/Vimeo video integration. The security flaw manifests as a stored cross-site scripting vulnerability that exploits the gallery link text parameter, allowing authenticated attackers with Editor-level permissions or higher to inject malicious scripts into the plugin's functionality.
The technical implementation of this vulnerability stems from insufficient input sanitization and inadequate output escaping mechanisms within the plugin's codebase. When administrators or editors create gallery entries with link text parameters, the plugin fails to properly validate or sanitize user-supplied input before storing it in the database. This stored data is then later retrieved and displayed without proper escaping, creating an environment where malicious JavaScript code can persist and execute whenever any user accesses pages containing the compromised gallery links. The vulnerability specifically targets the gallery link text parameter, which represents a common input vector for cross-site scripting attacks in web applications.
The operational impact of this vulnerability is significant for WordPress sites utilizing the affected plugin, as it provides attackers with a persistent means of executing malicious code on victim systems. Since the vulnerability requires only Editor-level access, it can be exploited by users who have been granted administrative privileges within the WordPress environment, potentially including content creators, site editors, or other trusted users. The stored nature of the XSS vulnerability means that the malicious scripts will execute automatically for any user who accesses the compromised gallery pages, making it particularly dangerous for sites with high traffic or multiple users. This vulnerability essentially allows attackers to hijack user sessions, steal sensitive information, or redirect users to malicious websites.
Mitigation strategies for this vulnerability should focus on immediate plugin updates to versions that address the sanitization and escaping deficiencies. System administrators should prioritize upgrading to the latest available version of the Gallery Blocks with Lightbox plugin as soon as patches become available. Additionally, implementing proper input validation and output escaping mechanisms should be enforced through security audits of the plugin's codebase. Organizations should also consider implementing web application firewalls that can detect and block malicious script injection attempts, as well as monitoring for unusual activity in gallery creation or modification. According to CWE guidelines, this vulnerability aligns with CWE-79 which addresses cross-site scripting flaws, and from an ATT&CK perspective, it maps to T1566.001 which covers social engineering through malicious content injection. Regular security assessments and user access reviews should be conducted to minimize the risk of unauthorized privilege escalation that could lead to exploitation of this vulnerability.