In the plugin, the Custom CSS field of each gallery is not properly sanitised or validated before being being output in the page where the gallery is embed, leading to a stored Cross-Site Scripting issue.
Create or edit a gallery and add the following payload in the Custom CSS field: </style><svg/onload=alert(document.domain)> Then, view the embed gallery (which must have at least one image) in a page or post to trigger the XSS
2021-05-31 (about 2 years ago)
2021-05-31 (about 2 years ago)
2021-06-01 (about 2 years ago)