The My Album Gallery WordPress plugin allows authenticated users with Author or higher privileges to inject arbitrary scripts through the image title field. The vulnerability arises from insufficient input sanitization and output escaping on the attachment title attribute, enabling stored XSS that will execute for any user who views the affected page. Once the script runs, an attacker can steal user credentials, hijack sessions, deface content, or deliver further malicious payloads. This type of flaw primarily undermines user confidentiality and integrity, as the injected code executes with the context of the visiting user rather than the attacker. The attack surface is limited to users who can view the gallery content, but the impact remains significant for site operators.

The vulnerability affects the My Album Gallery plugin for WordPress, versions 1.0.0 through 1.0.4 inclusive, released by the author ruhul080. Any site running one of these plugin versions and allowing authors or higher roles the ability to edit image titles is susceptible. The issue does not exist in newer releases beyond 1.0.4, which incorporate proper input filtering.

With a CVSS score of 6.4, this weakness is considered moderate in severity. The EPSS score is below 1 %, indicating a low probability of large‑scale exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be logged in with at least Author privileges and to edit an image title to inject malicious code. Once inserted, the XSS will affect every visitor to any page that renders the gallery. The lack of an additional authentication or privilege check beyond the Author role makes the path straightforward for any user with the requisite role on the target site.