CVE-2024-6629: 
WordPress vulnerability analysis and mitigation

The All-in-One Video Gallery plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-6629) in versions up to and including 3.7.1. The vulnerability exists in the plugin's Video shortcode functionality due to insufficient input sanitization and output escaping on user-supplied attributes (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 5.4 (Medium) according to NVD, and 6.4 (Medium) according to Wordfence. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R) in a changed scope (S:C) that can affect confidentiality and integrity (C:L/I:L) but not availability (A:N) (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

Users should update to version 3.8.3 or later of the All-in-One Video Gallery plugin, which contains the security fix. The vulnerability was patched through improved input sanitization and output escaping mechanisms (WordPress Plugin).