In the plugin, the Custom CSS field of each gallery is not properly sanitised or validated before being being output in the page where the gallery is embed, leading to a stored Cross-Site Scripting issue.
Create or edit a gallery and add the following payload in the Custom CSS field:
CPE | Name | Operator | Version |
---|---|---|---|
foogallery | lt | 2.0.35 |