CVE-2022-0750 is a medium-severity Cross-Site Scripting (XSS) vulnerability affecting the Photoswipe Masonry Gallery WordPress plugin developed by deanoakley. This vulnerability arises from improper neutralization of input during web page generation, specifically due to insufficient escaping and sanitization of several parameters: thumbnail_width, thumbnail_height, max_image_width, and max_image_height. These parameters are handled in the photoswipe-masonry.php file. An authenticated attacker with at least limited privileges can exploit this flaw by injecting arbitrary web scripts into galleries created by the plugin or on the PhotoSwipe Options page. Because the vulnerability requires authentication but no user interaction, it allows an attacker who has access to the WordPress backend to execute malicious JavaScript code in the context of the victim’s browser. This can lead to session hijacking, defacement, or other attacks that leverage script execution. The vulnerability affects all versions up to and including 1.2.14 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. There are no known exploits in the wild reported, and no official patches or updates have been linked in the provided data. This vulnerability is categorized under CWE-79, which is a common and well-understood class of web application security issues related to improper input sanitization leading to XSS.

For European organizations using WordPress websites with the Photoswipe Masonry Gallery plugin, this vulnerability presents a tangible risk of unauthorized script execution within authenticated sessions. The impact includes potential theft of session cookies, unauthorized actions performed on behalf of legitimate users, and the injection of malicious content that could damage brand reputation or lead to data leakage. Since the vulnerability requires authentication, the risk is higher in environments where multiple users have backend access, such as agencies, content teams, or multi-user editorial platforms. Exploitation could facilitate lateral movement or privilege escalation within the web application environment. Given the widespread use of WordPress in Europe across various sectors including media, e-commerce, and government websites, the vulnerability could be leveraged to target sensitive information or disrupt services. However, the absence of known active exploits reduces immediate risk, but the medium severity score indicates that timely remediation is important to prevent future attacks.

European organizations should immediately audit their WordPress installations to identify the presence of the Photoswipe Masonry Gallery plugin, especially versions up to 1.2.14. If found, they should restrict plugin usage to trusted administrators only and review user privileges to minimize the number of accounts with authenticated access. Since no official patch is linked, organizations should monitor the plugin vendor’s repository or WordPress plugin directory for updates or security patches addressing CVE-2022-0750. In the interim, applying Web Application Firewall (WAF) rules that detect and block suspicious payloads targeting the vulnerable parameters (thumbnail_width, thumbnail_height, max_image_width, max_image_height) can reduce exploitation risk. Additionally, implementing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts. Regular security training for administrators to recognize and report suspicious activity is also recommended. Finally, organizations should consider alternative gallery plugins with better security track records if timely patching is not feasible.