Improper Neutralization of Input During Web Page Generation allows stored cross‑site scripting on WordPress sites that use the TZ PlusGallery plugin. Unauthorized content can be injected into the gallery’s output, enabling an attacker to execute arbitrary JavaScript in the browsers of visitors, steal session cookies, deface the site, or redirect users to malicious destinations. The vulnerability is a classic example of CWE‑79, where input is not properly sanitized before being reflected in generated web pages.

The flaw exists in all installations of the tuyennv TZ PlusGallery plugin version 1.5.5 and earlier. Any WordPress site that has installed this plugin without upgrading to a newer release is susceptible, regardless of the overall WordPress version or other security settings.

With a CVSS score of 5.9 the affected installations are considered medium‑risk. The EPSS score is less than 1 %, indicating that exploitation attempts are currently rare and overall exposure is limited. The vulnerability is not listed in CISA’s KEV catalog, so no proven or widely distributed exploits are known. The likely attack vector is through the plugin’s content submission or gallery configuration interfaces, where unfiltered user input can be stored and later rendered to users. An attacker would typically need access to a user account with permission to add or modify gallery items, or to manipulate the input fields exposed in the plugin’s front‑end UI.