CVE-2024-56036

CVE-2024-56036 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79 for improper neutralization of input during web page generation. It affects the odPhotogallery WordPress plugin (od-photogallery-plugin) developed by Ondrej Donek, impacting all versions up to and including 0.5.3. The vulnerability enables attackers to inject malicious scripts into web pages viewed by users, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), rated as High severity.

The attack requires network access and low complexity, with no privileges needed but user interaction such as clicking a malicious link. An attacker can craft a URL containing a malicious payload that reflects unsanitized user input back into the page, executing arbitrary JavaScript in the victim's browser context. This leads to low impacts on confidentiality, integrity, and availability, but the changed scope (S:C) allows potential effects beyond the vulnerable component, such as session hijacking or phishing within the WordPress site's user base.

Patchstack has documented the vulnerability in its database, providing details on the affected WordPress plugin version 0.5.3 at https://patchstack.com/database/Wordpress/Plugin/od-photogallery-plugin/vulnerability/wordpress-odphotogallery-plugin-0-5-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Security practitioners should update to a patched version if available or apply input sanitization workarounds, while monitoring for plugin updates.