Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in odihost Easy Gallery simple-gallery-odihost allows Reflected XSS.This issue affects Easy Gallery: from n/a through <= 1.4.
Published: 2025-03-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user input during web page generation, allowing reflected cross‑site scripting on the Easy Gallery plugin. This flaw lets an attacker inject arbitrary JavaScript into a page viewed by a victim, which can be used to steal session cookies, hijack a user session, deface content, or conduct other malicious actions in the context of the user’s browser. The weakness is classified as CWE‑79.

Affected Systems

The affected system is the WordPress Easy Gallery plugin developed by OdiHost, version 1.4 and all earlier releases. No specific patch version is listed as fixed, but the impact statement indicates that any version up to and including 1.4 is vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Likely attack vectors involve a user visiting a crafted URL or link that injects malicious JavaScript into the page generated by the Easy Gallery plugin. An attacker must rely on the victim’s browser to execute the payload, so the threat depends on user interaction but can lead to significant compromise of user sessions and site integrity.

Generated by OpenCVE AI on May 1, 2026 at 15:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Easy Gallery plugin to the latest version (>=1.5) which removes the reflected XSS flaw.
  • If an upgrade is not immediately possible, disable or delete the plugin from the WordPress installation to prevent the vulnerable code from executing.
  • Implement a Web Application Firewall that blocks or sanitizes reflected XSS payloads and monitor logs for suspicious request patterns.

Generated by OpenCVE AI on May 1, 2026 at 15:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5735 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Gallery allows Reflected XSS. This issue affects Easy Gallery: from n/a through 1.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Gallery allows Reflected XSS. This issue affects Easy Gallery: from n/a through 1.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in odihost Easy Gallery simple-gallery-odihost allows Reflected XSS.This issue affects Easy Gallery: from n/a through <= 1.4.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Gallery allows Reflected XSS. This issue affects Easy Gallery: from n/a through 1.4.
Title WordPress Easy Gallery plugin <= 1.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T23:54:58.933Z

Reserved: 2025-01-16T11:25:20.560Z

Link: CVE-2025-23487

cve-icon Vulnrichment

Updated: 2025-03-03T20:20:34.977Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:37.787

Modified: 2026-06-17T08:54:45.820

Link: CVE-2025-23487

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T15:15:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')