CVE-2024-3710: 
WordPress vulnerability analysis and mitigation

The Image Photo Gallery Final Tiles Grid WordPress plugin before version 3.6.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability exists because the plugin does not properly validate and escape some of its shortcode attributes before outputting them back in the page. This vulnerability was discovered and reported by Dmitrii Ignatyev, and was assigned CVE-2024-3710 (WPScan).

The vulnerability allows users with a role as low as contributor to perform Stored Cross-Site Scripting attacks. The issue specifically involves the 'Additional CSS class on A tag' field in the gallery creation functionality, where malicious JavaScript can be injected. The vulnerability has been assigned a CVSS v3.1 base score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L (WPScan).

If successfully exploited, this vulnerability could allow attackers with contributor-level access to execute stored XSS attacks against high-privilege users such as administrators. This could potentially lead to unauthorized actions being performed with administrator privileges when the malicious content is viewed (WPScan).

The vulnerability has been fixed in version 3.6.0 of the Image Photo Gallery Final Tiles Grid plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).