CVE-2025-22566
Published: 28 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-22566 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the ULTIMATE VIDEO GALLERY WordPress plugin by extendyourweb (ultimate-gallery). Published on 2025-03-28, it affects all versions from n/a through 1.4 inclusive, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low attack complexity, requiring user interaction such as visiting a maliciously crafted URL. Exploitation reflects attacker-controlled input into the web page without proper neutralization, enabling script execution in the victim's browser context due to the changed scope (S:C). This can result in low-level impacts to confidentiality, integrity, and availability, such as stealing session cookies, defacing pages, or keystroke logging within the site's domain.
Mitigation details for this WordPress plugin vulnerability are documented in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ultimate-gallery/vulnerability/wordpress-ultimate-video-gallery-plugin-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation via crafted malicious URLs (T1204.001) leading to arbitrary JavaScript execution in browser (T1059.007) on the vulnerable web application (T1190).