The FooGallery Captions plugin contains an improper neutralization of input that allows a reflected cross‑site scripting (XSS) flaw. An attacker can embed malicious JavaScript that executes in the context of a victim’s browser when a reflected request is served. This type of code execution can lead to session hijacking, credential theft, or the delivery of phishing content to unsuspecting users, representing a direct threat to confidentiality and integrity of user data. The weakness is a classic input validation error identified by CWE‑79.

WordPress sites that use the FooGallery Captions plugin by tormorten in version 1.0.2 or earlier are affected. Any installation of this plugin that has not been upgraded to a later release is vulnerable, regardless of the site’s overall WordPress configuration.

With a CVSS score of 7.1 the vulnerability is considered medium severity. The EPSS score of less than 1% indicates that the probability of exploitation is low at present, and the flaw is not listed in the CISA KEV catalog. The attack vector is inferred to be available to anyone who can craft a request to the plugin’s endpoint, as the plugin reflects user input back into the page without proper encoding. An attacker does not need administrative privileges but can target any browser that visits the vulnerable page, making this a potentially widespread risk for public sites.