CVE-2024-13384: 
WordPress vulnerability analysis and mitigation

The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before version 3.2.24 contains a stored Cross-Site Scripting (XSS) vulnerability. This security issue was discovered in December 2024 and affects the plugin's gallery management functionality. The vulnerability has been assigned CVE-2024-13384 and received a CVSS score of 4.8 (MEDIUM) (WPScan, Wiz).

The vulnerability stems from improper sanitization and escaping of settings in the plugin's gallery management functionality. Specifically, the issue affects the 'rsg_galleryImages' parameter in the Manage Galleries section. The security flaw persists even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (WPScan, NVD).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. The impact is particularly notable in multisite WordPress installations where even admin users typically have restricted HTML capabilities (Wiz).

The vulnerability has been patched in version 3.2.24 of the Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).