CVE-2022-1946: 
WordPress vulnerability analysis and mitigation

The Gallery WordPress plugin before version 2.0.0 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-1946. The vulnerability was discovered and disclosed on June 13, 2022. The issue affects the plugin's AJAX functionality where a parameter is not properly sanitized and escaped before being output in the response, making it accessible to both authenticated and unauthenticated users (WPScan).

The vulnerability exists in the AJAX action handler of the Gallery plugin. Specifically, the 'wpdagallloadimageinfo' AJAX action does not properly sanitize and escape the 'gallerycurrentindex' parameter before reflecting it back in the response. The vulnerability has been assigned a CVSS v3 base score of 6.1 (Medium), indicating a moderate severity level. The attack vector is network-based, with low attack complexity and no privileges required, though it does require user interaction (AttackerKB).

If successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who visit the specially crafted URL. This could lead to theft of sensitive information, session hijacking, or other client-side attacks (WPScan).

The vulnerability has been fixed in version 2.0.0 of the Gallery plugin. Users are advised to update to this version or later to mitigate the risk. No alternative workarounds have been published (WPScan).