The Gallerio plugin contains a reflected XSS flaw caused by inadequate neutralization of characters when generating web pages. An attacker can supply crafted input that is echoed back into the browser, enabling the execution of arbitrary JavaScript in the victim’s context. If an end‑user visits a malicious link or submits a crafted form, the attacker can steal session cookies, hijack accounts, or perform phishing attacks. The vulnerability does not give direct code‑execution rights on the server; its impact is confined to the client side but can compromise confidentiality, integrity, and availability of the user session.

This flaw affects the Gallerio plugin distributed by Subhasis Laha. Any WordPress installation using Gallerio version 1.0.1 or earlier is vulnerable. The product is widely used for image galleries, so the exposure may be broad in sites that rely on the legacy plugin.

The CVSS score of 7.1 classifies the vulnerability as high severity. The EPSS score of less than 1% indicates a low probability of exploitation in the near term. It is not listed in the KEV catalog. Based on the description, the likely attack vector is remote, achieved by an attacker supplying malicious input through a URL or form that the plugin processes. The flaw does not require local privileges or user interaction beyond visiting a crafted page, making it relatively easy to exploit for a motivated attacker.