Description
admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF.
Remediation
References
Related Vulnerabilities
WP Photo Album Plus Cross-Site Scripting (4.9.2)
WP-reCAPTCHA HTML Injection and Cross-Site Request Forgery Vulnerabilities (2.9.8.2)
Starter Templates-Elementor, WordPress & Beaver Builder Templates Security Bypass (2.7.0)
WordPress 4.0.x Multiple Vulnerabilities (4.0 - 4.0.18)
Dolibarr Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-14240)