WordPress Picture Gallery 1.4.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Edit Content URL field in the Access Control settings. Attackers can enter JavaScript payloads in the plugin options that are stored in the database and executed when the functionality is triggered, enabling session hijacking or credential theft.
Security readout for executives and security teams
Plain-English summary
Picture Gallery 1.4.2 for WordPress can store malicious script in a plugin setting. If triggered, that script may run in another user’s browser, creating risk of account takeover, credential theft, or unauthorized site changes.
Executive priority
Treat as a moderate website security issue. Prioritize internet-facing WordPress sites, especially those with many authenticated users or sensitive administrator sessions.
Technical view
This is a stored cross-site scripting flaw, CWE-79, in the Access Control Edit Content URL field. The CVSS 3.1 score is 6.4 with low attack complexity, low privileges required, changed scope, and limited confidentiality and integrity impact.
Likely exposure
Exposure is limited to WordPress sites running the Picture Gallery plugin version 1.4.2. The source bundle does not identify other affected versions or a confirmed fixed version.
Exploitation context
The bundle includes an ExploitDB reference, so public exploit information exists. It is not listed in CISA KEV, and the supplied sources do not provide evidence of active exploitation.
Researcher notes
Evidence supports stored XSS in one named plugin version and field. The bundle does not prove active exploitation, broad version impact, or an upstream patch. Avoid assuming remediation beyond vendor guidance, removal, or access restriction.
Mitigation direction
Inventory WordPress sites for Picture Gallery 1.4.2.
Disable or remove the plugin where it is not business-critical.
Check vendor and advisory pages for a fixed release or official mitigation.
Limit plugin settings access to trusted administrators only.
Review suspicious admin sessions and password-reset activity.
Validation and detection
Confirm installed WordPress plugin names and versions on each site.
Review Access Control settings for unexpected script content.
Inspect relevant plugin options in backups or change history.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.