CVE-2025-24707
Published: 03 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-24707 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the gt3themes Photo Gallery plugin (gt3-photo-video-gallery) for WordPress. This issue affects the plugin from unknown initial versions through version 2.7.7.24 inclusive.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction. An unauthenticated remote attacker can exploit it by tricking a legitimate user into accessing a maliciously crafted URL or input reflected in the web page, leading to arbitrary script execution in the victim's browser context with changed scope and low impacts to confidentiality, integrity, and availability.
The Patchstack advisory provides details on this WordPress plugin vulnerability and recommends mitigation, available at https://patchstack.com/database/Wordpress/Plugin/gt3-photo-video-gallery/vulnerability/wordpress-photo-gallery-gt3-image-gallery-gutenberg-block-gallery-plugin-2-7-7-24-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Security practitioners should ensure affected installations update the gt3-photo-video-gallery plugin beyond version 2.7.7.24.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of the web application via crafted URLs (T1190) and arbitrary JavaScript execution in the victim's browser (T1059.007).