CVE-2024-12114

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-12114
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-12114.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-12114
Published
2025-03-08T06:15:35.103Z
Modified
2025-11-15T15:17:42.021878Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.29 via the foogalleryattachmentmodalsave AJAX action due to missing validation on a user controlled key (imgid). This makes it possible for authenticated attackers, with granted access and above, to update arbitrary post and page content. This requires the Gallery Creator Role setting to be a value lower than 'Editor' for there to be any real impact.

References

Affected packages

Git / github.com/fooplugins/foogallery

Affected ranges

Type
GIT
Repo
https://github.com/fooplugins/foogallery
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d43c48b06b0b5094e13a45d18fc33c5af1190b88

Affected versions

1.*

1.10.0
1.2.0
1.2.1
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.2.15
1.2.16
1.2.17
1.2.18
1.2.20
1.2.4
1.2.6
1.2.7
1.2.8
1.2.9
1.3.6
1.3.7
1.4.12
1.4.14
1.4.15
1.4.17
1.4.24
1.4.25
1.4.26
1.4.27
1.4.28
1.4.29
1.4.30
1.4.31
1.4.32
1.4.33
1.4.34
1.4.50
1.4.8
1.5.8
1.5.9
1.6.0
1.6.11
1.6.14
1.6.17
1.6.7
1.7.4
1.7.8
1.8.0
1.8.11
1.8.12
1.8.18
1.8.20
1.8.8
1.9.11
1.9.23
1.9.25
1.9.28
1.9.30
1.9.34
1.9.35
1.9.39
1.9.45
1.9.47
1.9.48
1.9.49
1.9.51
1.9.52
1.9.53
1.9.8

2.*

2.0.24
2.0.30
2.0.35
2.0.39
2.1.18
2.1.28
2.2.14
2.2.15
2.2.16
2.2.20
2.2.26
2.2.28
2.2.35
2.2.41
2.2.44
2.4.13
2.4.14
2.4.15
2.4.16
2.4.22
2.4.26
2.4.27
2.4.29
2.4.6
2.4.7
2.4.9

Other

ie10-justified-gallery-object-doesnt-support-action

v1.*

v1.1.8