WordPress Plugin Vulnerabilities

Modula Image Gallery < 2.10.2 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox 5 JavaScript Library

Description

The Modula Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions <= 5.0.36) due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
modula-best-grid-gallery
Fixed in 2.10.2

References

CVE
CVE-2024-9416
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1954040c-2188-48b7-9f21-9a0c851c9165

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
d5d6759c-3278-4f0e-a0db-36e2cd702df1

Timeline

Publicly Published
2025-04-02 (about 1 year ago)
Added
2025-04-03 (about 1 year ago)
Last Updated
2025-04-03 (about 1 year ago)

Other

Published
Title
Published
2025-05-07
Title
DELUCKS SEO < 2.6.0 - Contributor+ Stored XSS
Published
2026-04-03
Title
WP Travel Engine - Travel and Tour Booking Plugin < 6.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode
Published
2020-08-31
Title
WP Smart CRM & Invoices FREE <= 1.8.7 - Authenticated Stored Cross-Site Scripting
Published
2024-10-31
Title
Media Modal <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-07-21
Title
Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery < 1.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting