Improper neutralization of input during Web page generation has been identified in the PiwigoPress plugin for WordPress, enabling stored cross‑site scripting (XSS) that can execute arbitrary scripts in the browsers of users who view the affected content. This vulnerability falls under CWE‑79 and could allow an attacker to deface pages, phish user credentials, or inject malware by tricking users into loading malicious scripts. The stored nature of the flaw means that the malicious payload persists in the database and can affect all users who subsequently view the compromised content, potentially compromising confidentiality, integrity, and availability of the information presented by the site.

The issue affects the PiwigoPress plugin for WordPress, with vendors identified by the CNA as vpiwigo and product name piwigopress. All releases from the earliest available version through version 2.33 are vulnerable, meaning any WordPress installation utilizing PiwigoPress up to and including 2.33 needs assessment and remediation.

The CVSS score of 6.5 indicates a medium severity vulnerability, and the EPSS score of <1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the most likely attack vector involves an attacker submitting malicious content through the plugin’s input fields which is then stored and rendered for other site visitors, allowing script execution in the victim’s browser. This can be performed without elevated privileges, making it accessible to threat actors with limited access to the plugin interface.