Description
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled prettyPhoto library (version 3.1.6) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-03
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The vulnerability allows an attacker who is logged in with contributor‑level or higher privileges to inject arbitrary JavaScript into pages via the prettyPhoto JavaScript library bundled with several WordPress image and media plugins. The flaw arises from insufficient sanitization and escaping of user‑supplied attributes; when a malicious value is stored, it is rendered unescaped on subsequently visited pages, causing the script to run in the context of the victim’s browser. This can lead to cookie theft, session hijacking, defacement or the deployment of further malware. The risk is confined to users who access the affected pages after the injection, but since any site visitor could be targeted, the impact can be widespread.

Affected Systems

Affected plugins include Devrix Easy Image Gallery, Fuzzoid Easy 3‑D Viewer, Nayon46 Awesome WP Image Gallery, Raihan CSE Awesome Gallery, and WpTipsnTricks WP Video Lightbox. Each of these plugins in various versions incorporates prettyPhoto 3.1.6, which contains the unprotected input handling that enables the stored XSS. No specific version ranges were provided, but the vulnerability applies to all releases that ship the unpatched prettyPhoto library.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, with an EPSS score of less than 1% and no listing in the CISA KEV catalog. Even so, the need for authenticated contributor access makes exploitation less likely in the wild, yet the potential for widespread impact on site visitors warrants prompt action. Attackers would typically create or modify content—such as an image title or caption—containing malicious script fragments that are later rendered when any user accesses that content. The reliance on a specific user role makes targeting relatively straightforward for sites with large contributor bases.

Generated by OpenCVE AI on April 22, 2026 at 01:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update each affected plugin to the latest version that includes the fixed prettyPhoto library or the vendor’s patch for the XSS issue.
  • Disable the prettyPhoto feature or deactivate the affected plugin until a patched version is available to eliminate the vulnerability from execution paths.
  • Audit existing content for malicious scripts in image titles or captions, remove or sanitize any discovered payloads, and review user inputs to ensure no future injections can be stored.

Generated by OpenCVE AI on April 22, 2026 at 01:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19857 Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled prettyPhoto library (version 3.1.6) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Thu, 03 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 03 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled prettyPhoto library (version 3.1.6) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via prettyPhoto JavaScript Library
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:58.796Z

Reserved: 2025-03-19T22:12:17.253Z

Link: CVE-2025-2540

cve-icon Vulnrichment

Updated: 2025-07-03T13:04:11.372Z

cve-icon NVD

Status : Deferred

Published: 2025-07-03T12:15:24.483

Modified: 2026-06-17T09:07:08.500

Link: CVE-2025-2540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:15:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')