CVE-2024-5442: 
WordPress vulnerability analysis and mitigation

The Photo Gallery, Sliders, Proofing and WordPress plugin (NextGEN Gallery) before version 3.59.3 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on June 22, 2024, and was assigned identifier CVE-2024-5442. This security issue affects the plugin's settings functionality, specifically impacting high-privilege users such as administrators (WPScan).

The vulnerability stems from improper sanitization and escaping of certain settings within the plugin. This security weakness allows high-privilege users to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS 3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow authenticated administrators to inject and store malicious JavaScript code in the plugin's settings. This stored XSS could potentially be triggered when other users access specific pages containing the compromised album content, potentially leading to session hijacking, credential theft, or other client-side attacks (WPScan).

The vulnerability has been patched in version 3.59.3 of the NextGEN Gallery plugin. Site administrators are strongly advised to update to this version or later to mitigate the security risk (WPScan).