Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in adamlabs WordPress Photo Gallery photo-gallery-portfolio allows Reflected XSS.This issue affects WordPress Photo Gallery: from n/a through <= 1.1.0.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected XSS flaw allows an attacker to inject JavaScript into the web page generated by the WordPress Photo Gallery plugin. When a victim visits a crafted URL or gallery page, the unneutralized input is echoed back, enabling the attacker to execute arbitrary code in the victim’s browser. This can lead to session hijacking, credential theft, defacement, or redirecting users to malicious sites.

Affected Systems

The issue affects the adamlabs WordPress Photo Gallery plugin (photo-gallery‑portfolio) on any WordPress installation using version 1.1.0 or earlier. No additional products or versions are listed.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderately high severity, but the EPSS score of < 1% means that exploitation is currently considered unlikely. The vulnerability is not listed in the CISA KEV catalog. Because the error is reflected, an attacker must entice a user to open a crafted link; the attack vector is remote and does not require authentication or privileged access. The risk to an organization depends on how many sites run the affected plugin and whether those sites host sensitive user data.

Generated by OpenCVE AI on April 30, 2026 at 04:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Photo Gallery plugin to the latest available version (if 1.1.0 is vulnerable).
  • If an upgrade is not immediately possible, implement strict content‑security‑policy headers and enable X‑XSS‑Protection to reduce the impact of script execution.
  • Disable or remove the plugin entirely from sites where it is not required.

Generated by OpenCVE AI on April 30, 2026 at 04:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 26 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Adamlabs
Adamlabs wordpress Photo Gallery
Wordpress
Wordpress wordpress
Vendors & Products Adamlabs
Adamlabs wordpress Photo Gallery
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in adamlabs WordPress Photo Gallery photo-gallery-portfolio allows Reflected XSS.This issue affects WordPress Photo Gallery: from n/a through <= 1.1.0.
Title WordPress WordPress Photo Gallery plugin <= 1.1.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References

Subscriptions

Adamlabs Wordpress Photo Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:21.689Z

Reserved: 2025-06-27T10:28:11.949Z

Link: CVE-2025-53240

cve-icon Vulnrichment

Updated: 2026-01-26T21:58:11.059Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:15:57.757

Modified: 2026-04-27T17:16:27.870

Link: CVE-2025-53240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:30:27Z

Weaknesses