Description
The Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in all widgets in all versions up to, and including, 1.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Update
AI Analysis

Impact

The plugin contains a stored cross‑site scripting flaw that occurs when URLs are entered in any widget and the input is not fully sanitized or escaped. This flaw enables an attacker who can authenticate to the site with Contributor level or higher to inject arbitrary JavaScript that will execute in the browsers of any visitor who loads the affected page. The injected code can steal user credentials, deface the site, or perform further malicious actions on behalf of the victim; the weakness is identified as CWE‑79.

Affected Systems

The flaw affects all versions of BDThemes Pixel Gallery Addons for Elementor, including Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout and Portfolio Gallery, for all widget URLs in versions up to and including 1.6.7. Only systems running those versions of the plugin are impacted.

Risk and Exploitability

The CVSS score of 6.4 denotes moderate severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires a valid Contributor‑level account and the ability to edit widget URLs; the attack vector is therefore authenticated, but once the malicious script is stored it will affect all site visitors. Given the stored nature of the flaw, the malicious payload will persist until the plugin is updated or the stored data is sanitized.

Generated by OpenCVE AI on April 20, 2026 at 22:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Pixel Gallery Addons to the latest released version that removes the stored XSS flaw.
  • If an update cannot be applied immediately, restrict Contributor and lower roles from editing widget URLs that could carry embedded scripts.
  • As an intermediate measure, clean or sanitize all existing URLs in the database to strip script content or replace them with safe values.

Generated by OpenCVE AI on April 20, 2026 at 22:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22292 The Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in all widgets in all versions up to, and including, 1.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 23 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Wordpress
Wordpress wordpress

Tue, 22 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Jul 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in all widgets in all versions up to, and including, 1.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery <= 1.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Elementor Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:55.902Z

Reserved: 2025-07-14T15:22:33.545Z

Link: CVE-2025-7644

cve-icon Vulnrichment

Updated: 2025-07-22T16:26:50.407Z

cve-icon NVD

Status : Deferred

Published: 2025-07-22T05:15:41.553

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7644

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:15:06Z

Weaknesses