CVE-2021-24349

Name of the Vulnerable Software and Affected Versions This Gallery from files WordPress plugin versions 1.6.0 and earlier

Description The issue arises from the improper sanitization of filenames before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector.

Recommendations For versions 1.6.0 and earlier, update to a version that properly sanitizes filenames and includes a CSRF check to prevent reflected Cross-Site Scripting issues. As a temporary workaround, consider disabling the image upload functionality until a patch is available. Restrict access to the error message output to minimize the risk of exploitation.