Foogallery for WordPress stores content that is later displayed without proper escaping, allowing an attacker to inject malicious scripts. The vulnerability is a stored cross‑site scripting flaw (CWE‑79) that can compromise the integrity of a website and any users who view the affected content. In a successful exploitation, an attacker could execute arbitrary JavaScript in the context of the visitor’s browser, potentially hijacking sessions, defacing the site, or delivering malware.

The affected product is the FooPlugins FooGallery WordPress plugin, versions 3.1.11 and older. All WordPress sites running these versions are vulnerable, as the flaw is present through the last released 3.1.11 build. The plugin is a gallery component that shows images and media, and its storage functions are used by administrators and possibly contributor users.

With a CVSS score of 5.9, the flaw is considered moderate severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation. The flaw is not listed in the CISA KEV catalog, meaning no known high‑profile exploit has been observed. The attack vector is inferred to be the web interface that accepts user‑supplied gallery metadata, so an attacker would need to insert malicious content into that data stream before it is rendered to site visitors. An unauthenticated user could potentially exploit the flaw if the plugin allows content input from such users; otherwise an authenticated user with gallery management privileges is required.