CVE-2022-47603: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the wpdevart Gallery – Image and Video Gallery with Thumbnails WordPress plugin, affecting versions 2.0.1 and below. The vulnerability was identified on December 17, 2022, and publicly disclosed on February 3, 2023. This security issue impacts websites using the affected plugin versions (Patchstack).

The vulnerability occurs because the plugin fails to properly sanitize and escape the 'id' parameter before outputting it back in the page. This security flaw has been assigned CVE-2022-47603 and has received varying CVSS scores: NVD rates it at 6.1 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while Patchstack assigns it a score of 7.1 (High). The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (WPScan, NVD).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects and advertisements, as well as other HTML payloads into the affected website. These injected scripts would be executed when visitors access the site, potentially compromising user security and website integrity (Patchstack).

The vulnerability has been patched in version 2.0.2 of the plugin. Website administrators are strongly advised to update to this version or later to resolve the security issue. Additionally, Patchstack has issued a virtual patch to mitigate this vulnerability by blocking potential attacks until users can update to the fixed version (Patchstack).