CVE-2021-24362: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-24362 affects the Photo Gallery WordPress plugin versions 1.5.74 and below. This security issue was discovered and reported on July 18, 2021, and involves a Stored Cross-Site Scripting (XSS) vulnerability that can be exploited through SVG file uploads (WPScan, Wordfence).

The vulnerability has been assigned a CVSS score of 6.1 with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The core issue stems from the plugin's failure to properly validate SVG files uploaded to galleries. When these files are uploaded to the /wp-content/uploads/photo-gallery/ folder, any embedded JavaScript code within the SVG can be executed when the image is accessed directly (WPScan).

The vulnerability allows users with gallery upload permissions to inject malicious JavaScript code through SVG files. When other users access these uploaded images directly, the embedded malicious code executes in their browsers, potentially leading to cross-site scripting attacks (WPScan).

The vulnerability was patched in version 1.5.75 of the Photo Gallery plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).