Hello, we did see this message, but unfortunately the author of the report is currently not responding to us despite multiple attempts to reach out through Patchstack. Because of this, we do not have access to the report details and therefore cannot verify or fix the issue yet.
From my side, I can only assume that this may be related to Contributor-level permissions — for example, if users with the Contributor role on your site attempted to add harmful links or scripts through gallery content, that could potentially create a problem. However, until Patchstack restores our access to the report, we are unable to properly investigate or close the issue on their platform.
We are keeping this on our radar and continue to request access periodically. Unfortunately, unlike reports coming from the official WordPress Plugin Directory team — where volunteers send issues to developers through a centralized WordPress infrastructure — communication with independent researchers can sometimes be much more complicated.
Please update the plugin to the latest version, and this vulnerability will no longer affect you.
