shauno's NextGEN Gallery Voting plugin contains an Improper Neutralization of Input During Web Page Generation vulnerability, allowing attackers to inject arbitrary JavaScript that will be executed in the browser of any user visiting a reflected URL. This reflected Cross Site Scripting flaw is listed as CWE-79 and can be used to steal session cookies, deface pages, or deliver phishing content. The issue exists in all releases up to and including 2.7.6, meaning any site that has not upgraded beyond that version is potentially vulnerable.

WordPress users who have installed the NextGEN Gallery Voting plugin, particularly versions 2.7.6 or older. The plugin, developed by shauno, is distributed on the WordPress plugin repository and is commonly integrated into galleries on many sites. The vulnerability was reported to affect releases from the earliest to 2.7.6, so any site running the plugin within that range is impacted.

The CVSS score of 7.1 classifies this flaw as high severity, and the EPSS score indicates a very low probability of exploitation at the present time. The vulnerability is not listed in CISA's KEV catalog, suggesting limited known exploitation. Attackers can exploit it by crafting a malicious URL or form payload that contains script payloads; this payload is reflected back in the plugin's output without proper sanitization. An attacker only requires a user to visit the crafted link for the payload to execute, making it a user agent dependent threat that can facilitate credential theft or site defacement.