CVE-2023-6747: 
WordPress vulnerability analysis and mitigation

The Best WordPress Gallery Plugin – FooGallery plugin for WordPress (CVE-2023-6747) contains a Stored Cross-Site Scripting vulnerability affecting all versions up to and including 2.3.3. The vulnerability was discovered and disclosed on January 3, 2024, affecting the custom attributes functionality in the plugin (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the custom attributes feature. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 6.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows contributors and users with higher privileges to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized actions and data exposure (NVD).

Users should upgrade their FooGallery plugin to version 2.4.6 or later, which contains the fix for this vulnerability (NVD).