Description
The Photographers galleries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes (`w`, `h`, `raw_css`, `look`, etc.) in all versions up to, and including, 1.1.8. This is due to the plugin not properly sanitizing user input or escaping output when inserting these values into HTML attributes and inline styles. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting with contributor‑level access
Action: Patch Immediately
AI Analysis

Impact

The Photographers galleries plugin fails to sanitize or escape several shortcode attributes such as w, h, raw_css, look, and others. An authenticated contributor or higher can insert arbitrary JavaScript into these attributes. When a user subsequently views a page that contains the injected shortcode, the script runs in that user’s browser, enabling attackers to hijack sessions, steal credentials, or deliver malicious payloads. The flaw is a classic stored XSS (CWE‑79).

Affected Systems

All WordPress sites running Photographers galleries version 1.1.8 or earlier are vulnerable. The issue does not affect later releases of the plugin. Any installation that has enabled shortcodes with the affected attributes is susceptible, regardless of WordPress theme or other plugins.

Risk and Exploitability

The CVSS score of 6.4 reflects a moderate severity: authentication is required (contributor or higher) and the impact is confined to the browsers of users who view the compromised page. The EPSS score of less than 1% suggests that exploitation is currently unlikely in the wild. The vulnerability is not marked in the CISA KEV catalog. An attacker who can gain contributor rights can inject persistent code via the shortcode, leading to cross‑site scripting that may be used for phishing, malware delivery, or defacement. Mitigation is straightforward once a fix is applied, but until then sites remain at risk for active attackers with contributor privileges.

Generated by OpenCVE AI on April 22, 2026 at 12:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Photographers galleries to version 1.1.9 or later, where the shortcode attribute sanitization has been corrected.
  • Restrict contributor or higher access to only users who require it, and consider removing the Contributor role if it is not needed.
  • Audit existing galleries to ensure no malicious shortcodes remain and re‑run the plugin with the updated code; manually sanitize any custom content if upgrade is not immediately possible.

Generated by OpenCVE AI on April 22, 2026 at 12:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Photographers galleries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes (`w`, `h`, `raw_css`, `look`, etc.) in all versions up to, and including, 1.1.8. This is due to the plugin not properly sanitizing user input or escaping output when inserting these values into HTML attributes and inline styles. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Photographers galleries <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:34.781Z

Reserved: 2025-10-16T14:54:37.047Z

Link: CVE-2025-11866

cve-icon Vulnrichment

Updated: 2025-10-22T13:21:14.171Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T09:15:34.910

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:45:17Z

Weaknesses