CVE-2024-13583: 
WordPress vulnerability analysis and mitigation

The Simple Gallery with Filter WordPress plugin contains a Stored Cross-Site Scripting vulnerability (CVE-2024-13583) discovered in all versions up to and including 2.0. The vulnerability was identified on January 23, 2025, by researcher Peter Thaleikis (Wordfence Intel).

The vulnerability exists in the plugin's 'c2tw_sgwf' shortcode due to insufficient input sanitization and output escaping on user-supplied attributes. The severity of this vulnerability has been assessed with a CVSS v3.1 base score of 6.4 (Medium) by Wordfence and 5.4 (Medium) by NIST, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user interactions (NVD).

Users are advised to update their Simple Gallery with Filter plugin to version 2.1 or later, which contains the necessary security fixes (Wordfence Intel).