CVE-2021-24293: 
WordPress vulnerability analysis and mitigation

CVE-2021-24293 is a Reflected Cross-Site Scripting (XSS) vulnerability discovered in NextGEN Gallery Pro versions prior to 3.1.11. The vulnerability was identified in the eCommerce module, specifically in the getcartitems functionality accessed via photocrati_ajax. The issue was discovered by security researcher Thura Moe Myint and was publicly disclosed on February 24, 2021 (WPScan).

The vulnerability exists in the eCommerce module where the settings[shippingaddress][name] parameter in the getcartitems action via photocratiajax can be manipulated to inject malicious JavaScript code. The vulnerability has been assigned a CVSS score of 6.1 (Medium) and is classified under CWE-79: Cross-Site Scripting. A proof of concept demonstrates that the vulnerability can be exploited by accessing a page with an embedded NextGEN Pro gallery using the following URL pattern: ?photocratiajax=1&action=getcartitems&cart=&settings[shippingaddress][name]=a (WPScan).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of other users' browsers who visit the affected pages. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks (WPScan).

The vulnerability has been patched in NextGEN Gallery Pro version 3.1.11. Users are advised to upgrade to this version or later to protect against this security issue. The fix addresses the problem with the getcartitems endpoint (Imagely Changelog).