CVE-2020-9334: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in the Envira Photo Gallery WordPress plugin versions through 1.7.6. The vulnerability was disclosed on February 25, 2020, and assigned identifier CVE-2020-9334. This security flaw affects the WordPress plugin Envira Photo Gallery, which is used for creating and managing photo galleries on WordPress websites (NVD, CVE).

The vulnerability is classified as a stored XSS issue (CWE-79: Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Under CVSS v2.0, it scored 3.5 (Low) with the vector (AV:N/AC:M/Au:S/C:N/I:P/A:N) (NVD).

Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary JavaScript code that could be viewed and executed by other users accessing the affected pages. This could potentially lead to unauthorized access to sensitive information or manipulation of website content (NVD).

Users are advised to update their Envira Photo Gallery plugin to a version newer than 1.7.6 to address this vulnerability. The fix has been implemented in subsequent versions of the plugin (WordPress Plugin).