CVE-2021-24909: 
WordPress vulnerability analysis and mitigation

The CVE-2021-24909 vulnerability affects the ACF Photo Gallery Field WordPress plugin versions before 1.7.5. This security flaw was discovered by Krzysztof Zając and was publicly disclosed on December 20, 2021. The vulnerability is identified as a Reflected Cross-Site Scripting (XSS) issue in the plugin's functionality (WPScan).

The vulnerability stems from improper input sanitization in the includes/acf_photo_gallery_metabox_edit.php file. Specifically, the plugin fails to sanitize and escape the post parameter before outputting it back in an attribute. The vulnerability has been assigned a CVSS score of 6.1 (medium severity) and is classified under CWE-79, which relates to cross-site scripting issues. It falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

The vulnerability allows attackers to execute malicious JavaScript code in the context of other users' browsers who access the affected pages. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users (WPScan).

The vulnerability has been fixed in version 1.7.5 of the ACF Photo Gallery Field plugin. Users are advised to update to this version or newer to mitigate the security risk (WPScan).