{"id":"CVE-2024-29810","details":"The thumb_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the thumb_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue.","modified":"2026-03-14T12:28:06.618065Z","published":"2024-03-26T16:15:12.707Z","references":[{"type":"WEB","url":"https://wordpress.org/plugins/photo-gallery/#developers"},{"type":"EVIDENCE","url":"https://appcheck-ng.com/xss-vulnerabilities-discovered-10web-photogallery-wordpress-plugin/"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"1.8.22"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-29810.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}