CVE-2025-5686
BaseFortify
Publication date: 2025-06-06
Last updated on: 2025-06-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Paged Gallery plugin for WordPress, affecting all versions up to and including 0.7. It occurs because the plugin does not properly sanitize or escape user-supplied attributes in its 'gallery' shortcode. This allows authenticated users with contributor-level access or higher to inject malicious scripts into pages, which then execute whenever those pages are viewed.
How can this vulnerability impact me? :
This vulnerability can allow attackers with contributor-level access or higher to inject arbitrary scripts into web pages. These scripts can execute in the context of users viewing the affected pages, potentially leading to theft of user credentials, session hijacking, defacement, or other malicious actions that compromise the security and integrity of the website and its users.