CVE-2024-2744: 
WordPress vulnerability analysis and mitigation

The NextGEN Gallery WordPress plugin before version 3.59.1 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-2744. The vulnerability was discovered and disclosed on April 26, 2024, affecting the plugin's settings functionality. This security issue impacts high-privilege users such as administrators, even when the unfiltered_html capability is disabled (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. Specifically, the issue is present in the NextGEN Media RSS Widget functionality, where the 'Tooltip text for Media RSS link' setting is not properly sanitized, allowing for the injection of malicious JavaScript code. The vulnerability has been assigned a CVSS score of 3.5 (low severity) (WPScan).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Cross-Site Scripting attacks. The impact is somewhat limited since it requires administrative access and primarily affects scenarios where unfiltered_html is disallowed (WPScan).

The vulnerability has been patched in NextGEN Gallery version 3.59.1. Users are advised to update to this version or later to mitigate the security risk (WPScan).