CVE-2025-14835
Reflected XSS in WP Photo Album Plus Shortcode Parameter
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_photo_album_plus | wp_photo_album_plus | to 9.1.05.008 (inc) |
| wp_photo_album_plus | wp_photo_album_plus | 9.1.05.004 |
| wp_photo_album_plus | wp_photo_album_plus | 9.1.06.00 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WP Photo Album Plus WordPress plugin (up to version 9.1.05.008) is a Reflected Cross-Site Scripting (XSS) issue via the 'shortcode' parameter. Due to insufficient input sanitization and output escaping, unauthenticated attackers can inject arbitrary web scripts into pages. These scripts execute if a user is tricked into performing an action like clicking a malicious link. The vulnerability arises because the plugin does not properly sanitize shortcode inputs before rendering them, allowing malicious code injection. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of the affected website, potentially leading to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. Since the attack is reflected and requires user interaction (such as clicking a crafted link), it can be used in phishing attacks to compromise users visiting the site. The CVSS score of 7.1 indicates a high severity with impacts on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Reflected Cross-Site Scripting (XSS) via the 'shortcode' parameter in the WP Photo Album Plus plugin versions up to 9.1.05.008. Detection can be done by monitoring HTTP requests to your WordPress site for suspicious or malicious payloads in the shortcode parameter, especially in URLs or POST data. You can use web server logs or network traffic inspection tools to look for typical XSS payloads such as <script> tags or JavaScript event handlers within the shortcode parameter. For example, using command-line tools like grep on web server logs to find suspicious shortcode usage: grep -i 'shortcode=.*<script' /var/log/apache2/access.log. Additionally, using a web vulnerability scanner that supports XSS detection on WordPress plugins can help identify exploitation attempts. Since the vulnerability requires user interaction (UI:R), monitoring for unusual user clicks or reports of unexpected script execution can also help. There are no specific commands provided in the resources, but general web log inspection and scanning for XSS payloads in shortcode parameters is recommended. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WP Photo Album Plus plugin to version 9.1.06.00 or later, where the vulnerability is fixed by enhanced sanitization of shortcode inputs using functions like sanitize_text_field() and stripslashes(). This update also improves frontend visibility controls based on user roles. If updating immediately is not possible, consider disabling the plugin or restricting access to pages using the shortcode parameter until the update can be applied. Additionally, applying Web Application Firewall (WAF) rules to block suspicious shortcode parameter inputs can help mitigate exploitation attempts. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of CVE-2025-14835 on compliance with common standards and regulations such as GDPR or HIPAA.