CVE-2024-22295: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in RoboSoft Photo Gallery, Images, Slider in Rbs Image Gallery affecting versions up to 3.2.17. The vulnerability was disclosed on January 17, 2024, and was assigned CVE-2024-22295. The issue affects the WordPress plugin Robo Gallery and allows authenticated users with author-level access and above to inject malicious web scripts (Patchstack, WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 5.4 (Medium) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Patchstack assigned a slightly higher CVSS score of 5.9 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from insufficient input sanitization and output escaping in the plugin (NVD).

The vulnerability allows authenticated attackers with author-level privileges to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to unauthorized actions, data theft, or other malicious activities (WPScan).

The vulnerability has been fixed in version 3.2.18 of the Robo Gallery plugin. Users are advised to update to this version or later to remediate the security issue (Patchstack).