Description
Cross-Site Request Forgery (CSRF) vulnerability in tiefpunkt Add Linked Images To Gallery add-linked-images-to-gallery-v01 allows Cross Site Request Forgery.This issue affects Add Linked Images To Gallery: from n/a through <= 1.4.
Published: 2025-02-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery in the WordPress Add Linked Images To Gallery plugin lets an attacker cause a logged‑in user to send a request that stores arbitrary JavaScript in the gallery data. The stored script is rendered in galleries viewed by anyone, enabling session hijacking, data theft, defacement, or further exploitation of site privileges.

Affected Systems

The vulnerability affects the WordPress Add Linked Images To Gallery plugin, shipped by tiefpunkt, in all releases up through version 1.4. Any WordPress site that has this plugin installed and active is potentially impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1, indicating significant risk, but its EPSS score is below 1% and it is not listed in CISA’s KEV catalog, suggesting it is not widely exploited yet. The likely attack vector requires the victim to be a privileged user who is tricked into visiting a crafted link that submits the malicious request. Unlike typical CSRF, the attacker relies on the victim’s authenticated session to persist the malicious payload, which is subsequently executed for all users who view the infected gallery.

Generated by OpenCVE AI on May 1, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update for Add Linked Images To Gallery (≥1.5) or newer once available.
  • If an update is not available, deactivate or uninstall the plugin until a patch is released.
  • Restrict the plugin’s administrative interface to trusted administrators only and consider deploying a WAF rule to block suspicious CSRF payloads.

Generated by OpenCVE AI on May 1, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4359 Cross-Site Request Forgery (CSRF) vulnerability in tiefpunkt Add Linked Images To Gallery allows Cross Site Request Forgery. This issue affects Add Linked Images To Gallery: from n/a through 1.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in tiefpunkt Add Linked Images To Gallery allows Cross Site Request Forgery. This issue affects Add Linked Images To Gallery: from n/a through 1.4. Cross-Site Request Forgery (CSRF) vulnerability in tiefpunkt Add Linked Images To Gallery add-linked-images-to-gallery-v01 allows Cross Site Request Forgery.This issue affects Add Linked Images To Gallery: from n/a through <= 1.4.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Feb 2025 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in tiefpunkt Add Linked Images To Gallery allows Cross Site Request Forgery. This issue affects Add Linked Images To Gallery: from n/a through 1.4.
Title WordPress Add Linked Images To Gallery plugin <= 1.4 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:46.965Z

Reserved: 2025-02-21T16:45:10.728Z

Link: CVE-2025-27277

cve-icon Vulnrichment

Updated: 2025-02-24T17:01:39.742Z

cve-icon NVD

Status : Deferred

Published: 2025-02-24T15:15:14.867

Modified: 2026-06-17T09:03:19.497

Link: CVE-2025-27277

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:00:16Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)