The vulnerability is an improper neutralization of input during web page generation, specifically a reflected cross‑site scripting flaw in the WordPress Photo Gallery – Image Gallery plugin. It allows an attacker to cause a victim's browser to execute arbitrary JavaScript when a crafted URL is visited. The effect is that attackers can hijack the victim’s session, steal cookies or perform actions on behalf of the user, thereby compromising confidentiality and integrity of the victim’s data in the browser context.

The affected vendor is uxgallery and the product is WordPress Photo Gallery – Image Gallery. Versions from the initial release through version 2.0.4 are vulnerable. No specific lower bound is listed, indicating that all releases up to and including 2.0.4 are affected.

The CVSS score of 7.1 reflects a moderate to high severity reflected XSS. The EPSS score of < 1% indicates a very low but nonzero probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be remote, via user‑controllable URL parameters or form input that is reflected in the page. Successful exploitation would lead to arbitrary client‑side script execution on the victim’s browser, allowing attackers to conduct phishing, session hijacking, or data theft. The risk is therefore substantial for any site that hosts the vulnerable plugin and presents the reflected input to users.