Photo Gallery by 10Web Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress. This issue affects all versions through 1.8.34 and arises from inadequate input sanitization and output escaping. The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages, which could be executed if an administrative user is tricked into clicking a link or performing a similar action.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user.

Reproduction

To reproduce this vulnerability, send a request to the WordPress site with the 'image_id' parameter set to a value that will be processed by the vulnerable plugin. The injected script must be crafted to execute when an administrative user interacts with the page, such as by clicking a link.