The WordPress Gallery Plugin (by Nilesh Shiragave) contains a cross‑site request forgery flaw that allows an attacker to submit a crafted request which stores malicious JavaScript in the plugin’s data. Because the payload is stored, it runs in the browser of any visitor to the affected gallery, enabling client‑side code execution that could deface content, steal session cookies, or further compromise the site. The weakness is a CSRF that escalates to stored XSS. Based on the typical behavior of CSRF, it is inferred that the attacker must obtain the ability to trigger a request from a user who is authenticated and has permission to edit the gallery, as the flaw is exercised through normal plugin actions.

All installations of the WordPress Gallery Plugin version 1.4 or earlier are affected. Only sites that have this plugin active are vulnerable; WordPress itself and other plugins are not impacted.

The CVSS score of 7.1 signals a moderate‑to‑high severity. The EPSS score of <1 % indicates the likelihood of exploitation is low, but the stored XSS vector keeps the risk non‑negligible. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit it by sending a forged request from an authenticated user with sufficient privileges to inject the malicious script. Once stored, the script executes whenever the gallery is rendered in any user’s browser.