A Cross-Site Scripting (XSS) vulnerability has been identified in the WordPress Photo Gallery Slideshow & Masonry Tiled Gallery Plugin. This vulnerability allows an attacker to inject malicious scripts into the affected website, potentially compromising the security of the website and its visitors.

This vulnerability was discovered and responsibly reported by yuyudhn.

The vulnerability is a Cross-Site Scripting (XSS) vulnerability that occurs in the photo-gallery-slideshow.php file. The vulnerability allows an attacker to inject malicious scripts into the website by specifying a specially crafted URL.

Severity:

The vulnerability has a CVSS 3.1 score of 7.1, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the Photo Gallery Slideshow & Masonry Tiled Gallery Plugin prior to 1.0.14.

Impact:

An attacker who successfully exploits this vulnerability could inject malicious scripts into the affected website, such as:

  • Phishing scripts
  • Malware
  • Ads

This malicious code could then be executed by visitors to the website, potentially leading to a variety of security risks, such as:

  • Stealing personal information
  • Damaging the website’s files or database
  • Taking control of the website

Recommendation:

To ensure the website remains secure and alert against potential threats, consider the following recommendations:

  • Immediate Update: Users of the Photo Gallery Slideshow & Masonry Tiled Gallery Plugin are strongly advised to update to the latest available version (at least 1.0.14). This vulnerability has been fixed in version 1.0.14.
  • Regular Security Audits: Implement a routine schedule for security audits on the affected WordPress website.
  • Stay Informed: Keep an eye on official sources for updates or advisories related to the Photo Gallery Slideshow & Masonry Tiled Gallery Plugin. Timely awareness is essential for maintaining the website’s security.