Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bvads BVD Easy Gallery Manager bvd-easy-gallery-manager allows Reflected XSS.This issue affects BVD Easy Gallery Manager: from n/a through <= 1.0.6.
Published: 2025-01-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows an attacker to inject malicious scripts that are reflected back to the victim’s browser. This reflected XSS flaw can compromise user credentials, perform session hijacking, or deface the website, violating confidentiality and integrity. The vulnerability is classified as CWE-79, a common client‑side injection weakness.

Affected Systems

The BVD Easy Gallery Manager plugin for WordPress, versions up to and including 1.0.6, is affected. Any installation of the plugin within this version range is susceptible to exploitation.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity, while an EPSS score of less than 1% suggests a low current exploitation probability. The flaw exists in a reflected manner and would typically be triggered when a victim visits a crafted link or interacts with the plugin’s interface. The vulnerability is not listed in the CISA KEV catalog, but administrators should treat it as a significant risk due to the potential damage from XSS.

Generated by OpenCVE AI on May 1, 2026 at 22:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update BVD Easy Gallery Manager to the latest version that removes the XSS flaw
  • If an immediate upgrade is not possible, disable or delete the plugin to eliminate the attack surface
  • Apply server‑side input validation or a Content Security Policy to mitigate risk while the plugin remains in use

Generated by OpenCVE AI on May 1, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2752 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Balcom-Vetillo Design, Inc. BVD Easy Gallery Manager allows Reflected XSS.This issue affects BVD Easy Gallery Manager: from n/a through 1.0.6.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Balcom-Vetillo Design, Inc. BVD Easy Gallery Manager allows Reflected XSS.This issue affects BVD Easy Gallery Manager: from n/a through 1.0.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bvads BVD Easy Gallery Manager bvd-easy-gallery-manager allows Reflected XSS.This issue affects BVD Easy Gallery Manager: from n/a through <= 1.0.6.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Balcom-Vetillo Design, Inc. BVD Easy Gallery Manager allows Reflected XSS.This issue affects BVD Easy Gallery Manager: from n/a through 1.0.6.
Title WordPress BVD Easy Gallery Manager plugin <= 1.0.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:53.728Z

Reserved: 2025-01-03T13:16:49.451Z

Link: CVE-2025-22353

cve-icon Vulnrichment

Updated: 2025-01-07T15:51:43.638Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T11:15:18.693

Modified: 2026-04-29T10:16:39.060

Link: CVE-2025-22353

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:45:26Z

Weaknesses