The Kona Gallery Block plugin of the gubbigubbi family includes an improper neutralization of input during web page generation, allowing attackers to embed malicious scripts that are stored in the database and later served to site visitors. The stored XSS flaw can be leveraged to inject arbitrary client‑side code, potentially leading to defacement, credential theft, or delivery of malware to users who view pages containing the compromised content. The core weakness is a classic web‑input validation issue as identified by CWE‑79.

This vulnerability applies to any installation of the Kona Gallery Block plugin up through version 1.7. Users running that plugin version on a WordPress site are affected; later versions are not mentioned as vulnerable.

The CVSS score of 6.5 reflects a medium severity risk, with no current listing in the CISA KEV catalog and an EPSS score of less than 1%, indicating a low probability of exploitation at present. The most likely attack path would involve an attacker successfully inserting malicious content into a place where the plugin stores gallery data, such as a gallery caption or description field, which is then rendered unfiltered in subsequent page views. Because the flaw is stored, once the data is persisted it can affect all visitors who load the affected page. No known mitigation or patch is listed in the supplied data, so the risk remains contingent on whether the plugin is updated or otherwise managed.