CVE-2023-6924: 
WordPress vulnerability analysis and mitigation

The Photo Gallery by 10Web plugin for WordPress (CVE-2023-6924) is a Stored Cross-Site Scripting vulnerability affecting versions up to and including 1.8.18. The vulnerability was discovered and disclosed on January 11, 2024, impacting the WordPress plugin's widget functionality (NVD).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the widget functionality. The issue has been assigned a CVSS v3.1 score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating a network-accessible vulnerability requiring high privileges and user interaction (NVD).

When successfully exploited, the vulnerability allows authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page. Additionally, the vulnerability can be exploited by users with contributor-level permissions when using a page builder plugin (NVD).

Users should update their Photo Gallery by 10Web plugin to a version newer than 1.8.18. A patch has been released to address the vulnerability, which can be found in the WordPress plugin repository (WordPress Patch).