CVE-2024-4035 in Photo Gallery plugin
Summary
by MITRE • 04/25/2024
The Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alt text in all versions up to, and including, 2.7.7.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/03/2025
The Photo Gallery GT3 Image Gallery & Gutenberg Block Gallery plugin for WordPress presents a critical stored cross-site scripting vulnerability that affects all versions up to and including 2.7.7.21. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's handling of image alt text fields. The flaw specifically targets the way the plugin processes and stores user-supplied alt text data, creating an environment where malicious scripts can be persistently injected into the plugin's image gallery functionality. Attackers with author-level privileges or higher can exploit this weakness to inject malicious code that will execute whenever any user accesses a page containing the compromised gallery.
The technical exploitation of this vulnerability occurs through the manipulation of image alt text fields within the WordPress admin interface. When administrators or authors input specially crafted malicious code into these fields, the plugin fails to properly sanitize the input before storing it in the database. The insufficient output escaping means that when the gallery displays these images on frontend pages, the stored malicious scripts execute in the context of other users' browsers. This creates a persistent threat where the injected code can affect any visitor who accesses pages containing the compromised gallery, making the vulnerability particularly dangerous for websites with high traffic or sensitive user data.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to perform various malicious activities through the compromised user sessions. An attacker with author privileges could inject scripts that steal session cookies, redirect users to phishing sites, or even execute additional attacks through the victim's browser context. The stored nature of the vulnerability means that the malicious payloads remain active even after the initial injection, continuously affecting users until the vulnerability is patched and the malicious content is removed from the database. This persistent threat makes the vulnerability particularly concerning for content management systems where multiple authors may have access to gallery editing functionality.
From a security framework perspective, this vulnerability maps directly to CWE-79: Cross-Site Scripting and aligns with ATT&CK technique T1566.001: Phishing via Service. The vulnerability represents a classic case of insufficient input validation combined with inadequate output sanitization, creating a path for malicious code injection that can be leveraged for broader attacks. Organizations using this plugin should immediately implement patch management procedures to update to the latest version where the sanitization and escaping mechanisms have been properly addressed. The recommended mitigation strategy includes not only applying the vendor patch but also reviewing user permissions to ensure that only trusted administrators have access to gallery editing functionality, thereby reducing the attack surface for potential exploitation.