CVE-2024-6393: 
WordPress vulnerability analysis and mitigation

The Photo Gallery, Sliders, Proofing and WordPress plugin (NextGEN Gallery) before version 3.59.5 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on November 4, 2024, and was assigned CVE-2024-6393. This security issue affects high-privilege users such as Administrators, particularly in multisite setups where the unfiltered_html capability is disallowed (WPScan).

The vulnerability stems from improper sanitization and escaping of Images settings in the plugin. When adding or editing an image from a Gallery, the "Description" field can be manipulated to inject malicious JavaScript code. The XSS payload gets triggered when users click on the image within a post that contains the NextGen Gallery block. The vulnerability has been assigned a CVSS v3.1 score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows high-privilege users such as Administrators to perform Stored Cross-Site Scripting attacks. This can lead to the execution of arbitrary JavaScript code in users' browsers when they view affected gallery images, potentially compromising sensitive information or performing actions on behalf of the victim (WPScan).

Users should upgrade to NextGEN Gallery version 3.59.5 or later, which contains the fix for this vulnerability (WPScan).