CVE-2021-24415

Name of the Vulnerable Software and Affected Versions The Polo Video Gallery – Best wordpress video gallery plugin versions through 1.2

Description The issue allows users with a role as low as contributor to set Cross-Site Scripting payload in the parameters from its shortcode, which will be triggered in the pages with the embed malicious shortcode. This is due to the plugin not sanitising or validating the parameters from its shortcode.

Recommendations For versions through 1.2, consider disabling the shortcode functionality until a patch is available to prevent exploitation. Restrict access to the plugin's settings to minimize the risk of malicious shortcode embedding. Avoid using the plugin's shortcode in sensitive pages until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.