CVE-2022-0186: 
WordPress vulnerability analysis and mitigation

CVE-2022-0186 affects the Image Photo Gallery Final Tiles Grid WordPress plugin versions before 3.5.3. The vulnerability was discovered by Harshit (aka fumenoid) and Siddhant Chouhan (aka sidchn), and was publicly disclosed on January 18, 2022. This security issue affects WordPress installations using the vulnerable plugin versions (WPScan).

The vulnerability is a Stored Cross-Site Scripting (XSS) issue, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The core issue stems from the plugin's failure to properly sanitize and escape the Description field when editing a gallery. The vulnerability has received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows users with a role as low as contributor to perform Cross-Site Scripting attacks against other users who have access to the gallery dashboard. When exploited, the XSS payload is triggered when the gallery is edited, for example, when an administrator reviews the content (WPScan).

The vulnerability has been fixed in version 3.5.3 of the Image Photo Gallery Final Tiles Grid plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).