CVE-2023-28666: 
WordPress vulnerability analysis and mitigation

The InPost Gallery WordPress plugin, versions prior to 2.2.2, contains a reflected cross-site scripting vulnerability in the 'imgurl' parameter of the addinpostgalleryslideitem action. This vulnerability can only be exploited by authenticated users (NVD, Tenable Research).

The vulnerability exists due to improper sanitization of the 'imgurl' parameter in the addinpostgalleryslideitem action. When this parameter is processed, it is reflected in the response without proper filtering or escaping, leading to a potential cross-site scripting attack. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (Tenable Research).

If successfully exploited, this vulnerability could allow an authenticated attacker to execute arbitrary JavaScript code in the context of other users' browsers who visit the affected page. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the targeted user's session (WPScan).

The plugin has been closed as of December 19, 2022, and remains unfixed. Users are advised to consider removing the plugin or implementing additional security controls to restrict access to the vulnerable functionality (Tenable Research).