Impact
A Subscriber Cross Site Scripting (XSS) flaw exists in WordPress Modula Image Gallery plugin versions up to 2.14.23. The vulnerability allows malicious JavaScript to be injected in contexts that are subsequently rendered to users with the subscriber role. An attacker could use this to deface content, steal session cookies, or redirect users to phishing sites, thereby compromising confidentiality, integrity, or availability of the affected site.
Affected Systems
WordPress sites using the Modula Image Gallery plugin released by WP Chill, specifically any installation of versions 2.14.23 or older. The vulnerability is not present in version 2.14.24 and later, which contain the fix.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The attack does not appear in the CISA KEV catalog. Attackers likely exploit the flaw by crafting a malicious input that a subscriber user will view, leading to execution of the injected script in the victim’s browser. Critical damage would require an attacker to have access to a subscriber account or to persuade a subscriber to navigate to a vulnerable page.
OpenCVE Enrichment