CVE-2024-5968

Name of the Vulnerable Software and Affected Versions: The Photo Gallery by 10Web WordPress plugin versions prior to 1.8.28

Description: The issue concerns a Stored Cross-Site Scripting attack. High privilege users, such as admins, can exploit this even when the unfiltered html capability is disallowed, for example, in a multisite setup. This occurs because the plugin does not properly sanitise and escape some of its Gallery settings.

Recommendations: For versions prior to 1.8.28, upgrade to version 1.8.28 or later to mitigate the risk of remote exploitation and protect the site. As a temporary workaround, consider restricting access to the Gallery settings to minimize the risk of exploitation.