Description The plugin does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks via certain headers.
1. Use a proxy such as BurpSuite to add the following header to all requests: X-Forwarded-For: 11.11.11.11 2. Create a gallery and add its shortcode to a page. 3. As an unauthenticated user, upload an image to the gallery from the frontend. 4. As an administrator, click on “Contest Gallery” in the sidebar and click “Edit Gallery” on the gallery entry to trigger the XSS.