CVE-2022-4142

Name of the Vulnerable Software and Affected Versions WordPress Filter Gallery Plugin version 0.1.5 and earlier

Description The WordPress Filter Gallery Plugin does not properly escape the filters passed in the ufg gallery filters ajax action before outputting them on the page. This allows a high privileged user, such as an administrator, to inject HTML or javascript to the plugin settings page, even when the unfiltered html capability is disabled.

Recommendations For WordPress Filter Gallery Plugin version 0.1.5 and earlier, update to version 0.1.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the ufg gallery filters ajax action to minimize the risk of exploitation.