CVE-2023-6924 MEDIUM

CVE-2023-6924: Photo Gallery by 10Web <= 1.8.18 - Authenticated (Administrator+) Stored Cross-Site Scripting via Widget

Vendor 10Web
Product Photo Gallery by 10Web – Mobile-Friendly Image Gallery
Weakness CWE-79 · XSS
Published January 11, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Photo Gallery by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widgets in versions up to, and including, 1.8.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. It can also be exploited with a contributor-level permission with a page builder plugin.

Key dates

02Disclosure timeline

January 11, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-40659 Extension - joomboost.com - Reflected XSS in Easy Quick Contact module for Joomla 1.0.0-1.3.0 CVE-2024-10179 Slickstream: Engagement and Conversions <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via slick-grid Shortcode CVE-2026-7332 LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'booking_form_page_url' Parameter CVE-2024-47301 WordPress Bit Form plugin <= 2.13.10 - Cross Site Scripting (XSS) vulnerability CVE-2018-0340