Best WordPress Gallery Plugin Vulnerability– FooGallery – Authenticated(Administrator+) Stored Cross-Site Scripting via Settings – CVE-2024-0604 | WordPress Plugin Vulnerability Report

Plugin Name: Best WordPress Gallery Plugin – FooGallery

Key Information:

  • Software Type: Plugin
  • Software Slug: foogallery
  • Software Status: Active
  • Software Author: bradvin
  • Software Downloads: 4,701,372
  • Active Installs: 100,000
  • Last Updated: February 16, 2024
  • Patched Versions: 2.4.9
  • Affected Versions: <= 2.4.7

Vulnerability Details:

  • Name: Best WordPress Gallery Plugin – FooGallery <= 2.4.7
  • Title: Authenticated(Administrator+) Stored Cross-Site Scripting via settings
  • Type: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-0604
  • CVSS Score: 4.4
  • Publicly Published: February 14, 2024
  • Researcher: Akbar Kustirama
  • Description: The plugin is vulnerable to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows attackers with administrator-level permissions to inject arbitrary web scripts in pages, affecting multi-site installations and sites where unfiltered_html is disabled.


The Best WordPress Gallery Plugin – FooGallery for WordPress harbors a vulnerability in versions up to and including 2.4.7 that permits authenticated attackers with administrator-level permissions to inject arbitrary web scripts in pages via admin settings. This vulnerability has been patched in version 2.4.9.

Detailed Overview:

This vulnerability, identified by researcher Akbar Kustirama, arises from inadequate input sanitization and output escaping within the plugin's admin settings, posing a risk primarily to multi-site installations and sites with unfiltered_html disabled. It allows attackers with sufficient permissions to perform Stored Cross-Site Scripting (XSS) attacks, potentially compromising site integrity and user security. The prompt patching of this vulnerability in version 2.4.9 mitigates the risk, ensuring that installations are safeguarded against potential exploits.

Advice for Users:

Immediate Action: Users are urged to update to the patched version 2.4.9 to secure their sites against this vulnerability. Check for Signs of Vulnerability: Administrators should review their site for unexpected script executions in admin settings pages and monitor user roles to ensure only trusted individuals have administrative access. Alternate Plugins: Considering alternative gallery plugins with a strong security record can serve as a precautionary measure. Stay Updated: Keeping plugins updated is crucial in maintaining site security and functionality, preventing potential vulnerabilities.


The quick response by the plugin developers in releasing a patch underscores the critical nature of maintaining up-to-date installations for WordPress site security. Users are advised to update to version 2.4.9 or later to safeguard their installations against CVE-2024-0604.


In today's fast-paced digital environment, the security of your WordPress website cannot be taken for granted. A recent discovery within the popular Best WordPress Gallery Plugin – FooGallery underscores the ever-present need for vigilance and proactive measures in website maintenance. With over 100,000 active installations, the revelation of a security vulnerability within such a widely used plugin serves as a stark reminder of the potential risks lurking in even the most trusted tools.

Plugin Overview:

FooGallery, developed by bradvin, is a prominent gallery plugin in the WordPress ecosystem, boasting over 4.7 million downloads. Its intuitive interface and versatile features have made it a go-to choice for displaying images and content attractively. However, its vast user base also makes it a significant target for malicious activities.

Vulnerability Insights:

The vulnerability, identified as CVE-2024-0604, is a case of authenticated stored cross-site scripting (XSS) that arises from insufficient input sanitization and output escaping within the plugin's admin settings. Specifically, this flaw allows attackers with administrative access to inject harmful scripts into web pages, potentially compromising the site's integrity and the security of its users. Versions up to and including 2.4.7 were affected, with the issue being prominently hazardous in multi-site installations or in instances where the unfiltered_html capability is disabled.

Risks and Impacts:

The potential impacts of this vulnerability are multifaceted, ranging from unauthorized data access to the manipulation of website content and the distribution of malware to unsuspecting users. For businesses, the repercussions could extend further to include reputational damage, loss of customer trust, and potential legal liabilities.

Remediation and Protection:

In response to this discovery, the developers of FooGallery acted swiftly to release a patch in version 2.4.9. Users of the plugin are strongly urged to update to this latest version to mitigate the risks posed by the vulnerability. Additionally, website owners should conduct regular reviews of user roles and permissions, limiting administrative access only to trusted parties.

Previous Vulnerabilities:

It's worth noting that this is not the first time vulnerabilities have been identified in FooGallery. Since February 25, 2019, there have been 10 documented cases, emphasizing the importance of continuous monitoring and updating of all website components.


For small business owners, who often juggle multiple responsibilities, staying abreast of every security update and vulnerability may seem daunting. However, the health and security of your WordPress site are integral to your business's success and reputation. Employing basic security practices such as regular updates, using strong passwords, and perhaps most importantly, leveraging the expertise of security professionals or managed WordPress hosting services can significantly reduce your site's vulnerability to attacks. Remember, in the realm of cybersecurity, an ounce of prevention is worth a pound of cure.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Best WordPress Gallery Plugin Vulnerability– FooGallery – Authenticated(Administrator+) Stored Cross-Site Scripting via Settings – CVE-2024-0604 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment