CVE-2015-1394

Name of the Vulnerable Software and Affected Versions: WordPress Photo Gallery plugin versions prior to 1.2.11

Description: The issue allows remote authenticated users to inject arbitrary web script or HTML via certain parameters in an addImages action to the "wp-admin/admin-ajax.php" API endpoint. The vulnerable parameters include sort by, sort order, items view, dir, clipboard task, clipboard files, clipboard src, and clipboard dest.

Recommendations: For WordPress Photo Gallery plugin versions prior to 1.2.11, update to version 1.2.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/admin-ajax.php" API endpoint for untrusted users until the update is applied. Avoid using the vulnerable parameters in the addImages action until the issue is resolved.