CVE-2024-2762: 
WordPress vulnerability analysis and mitigation

CVE-2024-2762 affects the FooGallery WordPress plugin (both regular and premium versions) before version 2.4.15. The vulnerability was discovered and disclosed on May 23, 2024, by security researcher Dmitrii Ignatyev. The issue affects WordPress installations running FooGallery or FooGallery Premium plugins in versions prior to 2.4.15 (WPScan).

The vulnerability is a Stored Cross-Site Scripting (XSS) issue classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 score is 5.4 (Medium) according to NVD, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability exists because the plugin does not properly validate and escape some of its Gallery settings before outputting them back in the page (NVD).

The vulnerability allows users with a role as low as Author to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as administrators. This could potentially lead to unauthorized actions being performed with administrator privileges when viewing affected gallery pages (WPScan).

The vulnerability has been patched in version 2.4.15 of both FooGallery and FooGallery Premium plugins. Users are advised to update to this version or later to mitigate the risk (WPScan).