The plugin contains an improper neutralization of input during web page generation that allows an attacker to inject malicious scripts that are stored in the gallery data. When other users retrieve the gallery, the attacker‑crafted script executes in their browsers, potentially stealing session cookies, defacing content, or executing further malware. The weakness is a classic stored XSS (CWE‑79). According to the official description, the flaw can be exploited by inserting malicious code into gallery fields, which is then persisted and served to any visitor who views the affected gallery page.

The vulnerability affects the gt3themes Photo Gallery (gt3‑photo‑video‑gallery) plugin for WordPress up to and including version 2.7.7.25. All installations using this or earlier versions are susceptible, so administrators need to verify the running version. The plugin is a gallery module that can be enabled on any WordPress site.

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of < 1% suggests low likelihood of mass exploitation under normal conditions. The vulnerability is not listed in CISA’s KEV catalog, implying no confirmed large‑scale attacks so far. Exploitation requires the attacker to supply malicious input that is stored by the plugin, typically through a gallery creation or editing interface. Once stored, any visitor who views the gallery will have the injected script executed in their browser, providing a broad audience for the attack. Although the risk is moderate, the potential for user‑impact and data theft warrants prompt remediation.