CVE-2025-1513

CVE-2025-1513 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons plugin for WordPress. It affects all versions up to and including 26.0.0.1 due to insufficient input sanitization and output escaping in the Name and Comment fields when users comment on photo gallery entries. This flaw enables the injection of arbitrary web scripts into pages, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low complexity, lack of privileges or user interaction required, and changed scope.

Unauthenticated attackers can exploit the vulnerability by submitting malicious scripts via the Name or Comment fields during photo gallery comments. The injected scripts are then stored persistently and execute in the browser context of any user who views the affected page, potentially compromising confidentiality and integrity through actions like stealing cookies, session tokens, or sensitive data displayed on the page.

Advisories reference a patch in the WordPress plugin trac repository at changeset 3245199 for the contest-gallery repository, indicating remediation through an updated plugin version. Wordfence threat intelligence provides further details on the vulnerability at their dedicated page.