The plugin did not properly sanitise the bwg_search_X GET parameter, available in a frontend gallery when the Show Search Box setting is enabled (disabled by default), leading to a reflected Cross-Site Scripting issue
Append the below payload in a page with an embedded gallery and the Show Search Box setting enabled (in Global Settings > Gallery Views) ?bwg_search_0=" onfocus="alert(/XSS/)
2021-02-23 (about 2 years ago)
2021-02-23 (about 2 years ago)
2021-02-23 (about 2 years ago)