Description
The PhotoFade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'time' parameter in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-07
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The PhotoFade plugin for WordPress contains a stored Cross‑Site Scripting flaw that originates from insufficient input sanitization and output escaping of the 'time' attribute used in the plugin's shortcodes. Authenticated users with Contributor‑level access or higher can embed arbitrary JavaScript code that is persisted in the post or page content and executed every time any visitor displays the affected page. This flaw is a classic injection weakness, classified as CWE‑79, which can lead to the execution of malicious script in the context of browsing a site that uses the plugin.

Affected Systems

The vulnerability affects the PhotoFade plugin developed by davidangel. WordPress sites that have a copy of the plugin in any version up to and including 0.2.1 are at risk. The issue is independent of the core WordPress version; any page, post, or custom post type that includes the plugin’s shortcode may store injected content.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate impact, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated with a Contributor role or higher, after which they can inject the malicious script via the 'time' attribute. The stored payload is then rendered to all visitors of the affected content, potentially allowing the attacker to run JavaScript code in the context of normal site users.

Generated by OpenCVE AI on April 27, 2026 at 21:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PhotoFade plugin to a version later than 0.2.1 or uninstall the plugin if it is no longer required.
  • If an upgrade cannot be performed immediately, reduce the privileges of Contributor accounts so that only trusted users can create or edit content.
  • Review all existing content that uses the PhotoFade shortcode and manually delete or clean any entries that contain inserted script fragments.
  • Implement an application‑level content security policy or employ a security plugin that blocks untrusted scripts stored in post content.

Generated by OpenCVE AI on April 27, 2026 at 21:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
Description The PhotoFade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'time' parameter in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title PhotoFade <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:17.052Z

Reserved: 2025-12-01T19:45:30.844Z

Link: CVE-2025-13847

cve-icon Vulnrichment

Updated: 2026-01-07T16:14:23.780Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:50.290

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13847

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:00:16Z

Weaknesses