The vulnerability is an improper neutralization of user input during web page generation, allowing an attacker to insert malicious script that is persisted in the WordPress Gallery plugin. If an attacker can submit content that passes through the plugin’s storage layer, the injected JavaScript will execute whenever a gallery page is viewed, potentially stealing session data, defacing content, or redirecting users to malicious sites. The weakness corresponds to CWE‑79 and can compromise the integrity and confidentiality of site visitors’ browsers.

WordPress sites using the Jordy Meow Gallery plugin version 2.2.1 or earlier are affected. The affected‑version range is specified as "from n/a through 2.2.1"; therefore any deployment of the plugin that has not been upgraded beyond 2.2.1 is vulnerable.

The vulnerability has a CVSS score of 5.9, indicating a moderate severity level. Its EPSS score is reported as < 1 %, meaning that publicly available exploits are currently considered rare, and it is not listed in the CISA KEV catalogue. The likely attack vector is through the plugin’s data input interface, where an attacker can submit malicious payloads that are subsequently stored and rendered. If the site accepts such input without proper sanitization, the stored script will execute in the browsers of any user who views the affected gallery pages.