CVE-2022-2597

Name of the Vulnerable Software and Affected Versions The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin versions prior to 2.19.0

Description The issue is related to improper authorization checks in some REST endpoints of the plugin, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts.

Recommendations For versions prior to 2.19.0, update to version 2.19.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST endpoints until a patch is applied. Avoid using the plugin's functionality that allows injecting CSS in saved layouts until the issue is resolved.