CVE-2022-2190 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Gallery Plugin for WordPress, specifically the Envira Photo Gallery plugin versions prior to 1.8.4.7. The vulnerability arises because the plugin fails to properly escape the $_SERVER['REQUEST_URI'] parameter before including it in an HTML attribute in the plugin's output. This improper sanitization allows an attacker to inject malicious JavaScript code into the URL, which is then reflected back to the user’s browser. When a victim visits a crafted URL containing the malicious payload, the injected script executes in the context of the vulnerable website. This can lead to the theft of session cookies, user impersonation, or other malicious actions that compromise the confidentiality and integrity of user data. The vulnerability is particularly effective against older web browsers that may not have modern XSS protections. According to the CVSS 3.1 scoring, this vulnerability has a score of 6.1 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, no privileges required, but requiring user interaction (the victim must click a malicious link). The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable code, potentially impacting the entire web application session. No known exploits are currently reported in the wild, and no official patch links are provided in the data, but the vulnerability was reserved and published in mid-2022. This vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks.

For European organizations using WordPress websites with the Envira Photo Gallery plugin versions before 1.8.4.7, this vulnerability poses a risk of client-side script injection. The impact primarily affects the confidentiality and integrity of user sessions and data. Attackers could exploit this vulnerability to hijack user sessions, deface websites, or conduct phishing attacks by injecting malicious scripts that alter page content or redirect users to malicious sites. While the vulnerability does not directly affect server availability, the reputational damage and potential data breaches could have significant consequences, especially for organizations handling sensitive or personal data under GDPR regulations. The requirement for user interaction (clicking a malicious link) somewhat limits the exploitability but does not eliminate risk, as phishing campaigns can be used to lure users. Older browsers, which may still be in use in some environments, are more susceptible to this attack. Given the widespread use of WordPress in Europe across various sectors including government, education, and commerce, the vulnerability could be leveraged to target high-profile websites, potentially leading to data leaks or undermining trust in digital services.

European organizations should immediately verify if their WordPress installations use the Envira Photo Gallery plugin and identify the plugin version. If the version is older than 1.8.4.7, an update to the latest version should be prioritized as the primary mitigation step. In the absence of an official patch, organizations can implement web application firewall (WAF) rules to detect and block suspicious request patterns that include malicious scripts in the REQUEST_URI parameter. Additionally, applying Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts on the website. Organizations should also educate users and administrators about phishing risks and encourage cautious behavior regarding clicking on unknown or suspicious links. Regular security audits and vulnerability scanning of WordPress plugins should be integrated into the security posture to detect outdated or vulnerable components. Finally, monitoring web server logs for unusual request patterns targeting the REQUEST_URI parameter can help identify attempted exploitation attempts.