WordPress Picture Gallery 1.4.2 contains a stored cross‑site scripting vulnerability that allows an attacker who is authenticated to the WordPress site to inject malicious JavaScript payloads into the Edit Content URL field. When the stored value is later rendered in the plugin’s functionality, the browser executes the injected script, giving the attacker the ability to hijack the user session or steal credentials from site visitors. The weakness is a classic input‑validation flaw identified as CWE‑79, and it is only exploitable by users who have editing privileges on the plugin.

The vulnerability exists in the WordPress Picture Gallery plugin version 1.4.2, which is distributed by Video Whispers. WordPress sites that have installed this version of the plugin and do not use the default role restrictions are vulnerable. All other plugin versions and un‑installed instances are unaffected.

The CVSS score for this issue is 5.1, indicating a moderate security impact. No EPSS score is available, but the lack of an EPSS entry does not imply the risk is low; the vulnerability requires only an authenticated user with editing rights, which many sites provide to administrators. The issue is not present in the CISA KEV catalog. Attackers would first authenticate, then modify the Edit Content URL field, after which any visitor who experiences the affected functionality would have the injected script executed. Because it is a stored XSS, the impact lasts until the offending setting is removed or the plugin is upgraded. The potential to hijack sessions or compromise credentials makes it a non‑negligible risk for sites with laxer role assignments.