CVE-2024-12096: 
WordPress vulnerability analysis and mitigation

The Exhibit to WP Gallery WordPress plugin through version 0.0.2 contains a Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Bob Matyas and was publicly disclosed on December 3, 2024. The issue affects the plugin's handling of user input parameters, which are not properly sanitized before being output back to the page (WPScan).

The vulnerability stems from improper input validation where the plugin fails to sanitize and escape a parameter before outputting it back in the page. This security flaw has been assigned a CVSS v3.1 score of 6.1 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under CWE-79 (Cross-Site Scripting) and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan, NVD).

The vulnerability could be exploited against high-privilege users such as administrators. When successfully exploited, it allows attackers to execute malicious scripts in the context of the victim's browser session, potentially leading to unauthorized access to sensitive information or performing actions on behalf of the administrator (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the Exhibit to WP Gallery WordPress plugin should consider either removing the plugin or implementing additional security controls until a patch is released (WPScan).