CVE-2021-24291: 
WordPress vulnerability analysis and mitigation

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before version 1.5.69 was identified with a Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered in early 2021 and was publicly disclosed on April 19, 2021. The issue affected both authenticated and unauthenticated users of WordPress installations using the vulnerable plugin version (WPScan, CVE Mitre).

The vulnerability was classified as a Reflected Cross-Site Scripting (XSS) issue, identified as CWE-79, with a CVSS score of 7.1 (High). The security flaw existed in the bwgfrontenddata AJAX action, where multiple GET parameters including galleryid, tag, albumid, and theme_id were not properly sanitized. This allowed for the injection of malicious JavaScript code through these parameters (WPScan).

The vulnerability could allow attackers to execute arbitrary JavaScript code in users' browsers when they access specially crafted URLs. Since the vulnerability was accessible to both authenticated and unauthenticated users, it posed a significant risk to all visitors of affected WordPress sites (WPScan).

The vulnerability was patched in version 1.5.69 of the Photo Gallery plugin. Users were advised to update their installations to this version or later to mitigate the security risk (WPScan).