The plugin does not sanitise and escape the Description field when editing a gallery, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks against other users having access to the gallery dashboard
As a contributor, create/edit a gallery and add the following payload in the Description field: "> The XSS will be triggered when the gallery is edited (for example, by an admin checking it)
CPE | Name | Operator | Version |
---|---|---|---|
final-tiles-grid-gallery-lite | lt | 3.5.5 |