CVE-2025-11834 - Vulnerability Details

- WP AD Gallery <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The WP AD Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'startindex' parameter of the ad-gallery shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2025-10-22

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WP AD Gallery plugin for WordPress suffers from insufficient input sanitization and output escaping on the startindex parameter of the ad‑gallery shortcode. This flaw enables an authenticated attacker who possesses contributor‑level access or higher to inject arbitrary JavaScript code. When other users view a page that contains the malicious shortcode, the injected script runs with the victim’s browser context.

Affected Systems

All WordPress installations that use WP AD Gallery version 1.3 or earlier are affected. The vulnerability exists in every release up to and including 1.3 and is present across all platforms that support the plugin, such as sites hosted on shared or dedicated WordPress environments.

Risk and Exploitability

The CVSS score of 6.4 represents a moderate severity; the EPSS score of less than 1% indicates a low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated with at least contributor privileges to exploit this issue. Once authenticated, the attacker can submit a crafted startindex value, resulting in stored cross‑site scripting that affects any user who afterwards visits the injected page. Because the flaw is stored, the malicious content persists until the shortcode is removed or the plugin is upgraded.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wiellyam

WP AD Gallery

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.3

No data.

Vendor	Product	Confidence	Versions
Wiellyam	Wp Ad Gallery	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the WP AD Gallery plugin to any version newer than 1.3 to eliminate the vulnerability
If an upgrade is not immediately possible, remove or disable the WP AD Gallery plugin from the site
Restrict contributor or higher level account privileges, and audit user roles to ensure only trusted users can submit content that contains shortcodes

Generated by OpenCVE AI on April 28, 2026 at 10:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wp-ad-gallery/tags/1.3/shortcode/shortcode.php#L177
https://www.wordfence.com/threat-intel/vulnerabilities/id/0144ae03-00ce-481d-8d29-7a484f1f6cbf?source=cve

History

Thu, 23 Oct 2025 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wiellyam Wiellyam wp Ad Gallery Wordpress Wordpress wordpress
Vendors & Products		Wiellyam Wiellyam wp Ad Gallery Wordpress Wordpress wordpress

Wed, 22 Oct 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Oct 2025 08:45:00 +0000

Type	Values Removed	Values Added
Description		The WP AD Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'startindex' parameter of the ad-gallery shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		WP AD Gallery <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/wp-ad-gallery/tags/1.3/shortcode/shortcode.php#L177 https://www.wordfence.com/threat-intel/vulnerabilities/id/0144ae03-00ce-481d-8d29-7a484f1f6cbf?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Wiellyam Wp Ad Gallery

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-10-22T08:27:02.620Z

Updated: 2026-04-08T16:32:27.336Z

Reserved: 2025-10-15T19:11:30.761Z

Link: CVE-2025-11834

Vulnrichment

Updated: 2025-10-22T13:25:12.820Z

NVD

Status : Deferred

Published: 2025-10-22T09:15:34.730

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11834

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T10:45:29Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object