A cross-site scripting (XSS) vulnerability was discovered in “Photoswipe Masonry Gallery”, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to inject malicious JavaScript that executes whenever a site administrator accesses the PhotoSwipe Options page or a user accesses a page with a gallery created by the plugin.
We strongly recommend ensuring that your site has been updated to the latest patched version of “Photoswipe Masonry Gallery”, which is version 1.2.18 at the time of this publication.
Photoswipe Masonry Gallery is a plugin designed to enhance gallery creation using the default WordPress gallery builder which can be added to WordPress pages and posts. As with many other plugins available in the WordPress repository, this plugin has the ability to set general options for the plugin. These settings translate over to any gallery that a site owner chooses to create and includes things like thumbnail width and height for images along with many other settings. Unfortunately, this plugin had a vulnerability that made it possible for attackers to modify these settings.