CVE-2022-4058: 
WordPress vulnerability analysis and mitigation

The Photo Gallery by 10Web WordPress plugin before version 1.8.3 contains a stored Cross-Site Scripting (XSS) vulnerability via CSRF. The vulnerability was discovered and publicly disclosed on November 28, 2022, and was assigned CVE-2022-4058. The issue affects the WordPress plugin 'photo-gallery' and has been fixed in version 1.8.3 (WPScan).

The vulnerability exists because the plugin does not properly validate and escape certain parameters before outputting them back in JavaScript code on another page. The vulnerability has been assigned a CVSS score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Cross-Site Scripting) (NVD, WPScan).

When successfully exploited, this vulnerability allows an attacker to execute a stored XSS attack when a logged-in administrator opens a malicious URL or page under the attacker's control. The XSS payload will only trigger for the attacked user and will be reset when they logout (WPScan).

The vulnerability has been fixed in version 1.8.3 of the Photo Gallery plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).