CVE-2021-36891: 
WordPress vulnerability analysis and mitigation

CVE-2021-36891 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Photo Gallery by Supsystic plugin versions 1.15.5 and below for WordPress. The vulnerability was discovered and reported by Rasi Afeef, and was publicly disclosed on June 15, 2022. The issue allows attackers to modify plugin settings through CSRF attacks targeting authenticated administrators (Patchstack, NVD).

The vulnerability stems from the absence of CSRF protection mechanisms in the plugin's settings update functionality. It has been assigned a CVSS v3.1 base score of 4.3 (Medium) by NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, while Patchstack assigned it a slightly higher score of 5.4 (Medium). The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD, Patchstack).

The vulnerability allows attackers to trick authenticated administrators into making unwanted changes to the plugin settings through CSRF attacks. This could potentially lead to unauthorized modifications of gallery configurations and settings (WPScan, Patchstack).

The vulnerability was fixed in version 1.15.6 of the Photo Gallery by Supsystic plugin. Users are advised to update to this version or later to resolve the security issue (Patchstack).