CVE-2025-26581
Published: 26 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-26581 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the videowhisper Picture Gallery WordPress plugin (picture-gallery). It affects all versions from an unspecified starting point through 1.6.3. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low complexity, no required privileges, user interaction, and changed scope.
An unauthenticated attacker can exploit this vulnerability remotely by crafting malicious input that is reflected and executed as JavaScript in a victim's browser when they interact with a specially prepared web page or link. Exploitation requires user interaction, such as clicking a malicious URL, but achieves low impacts on confidentiality, integrity, and availability within a changed scope, potentially enabling session hijacking, data theft, or further site compromise in the victim's context.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/picture-gallery/vulnerability/wordpress-picture-gallery-plugin-1-5-23-csrf-to-stored-xss-vulnerability?_s_id=cve. Security practitioners should update to a patched version beyond 1.6.3 if available and apply standard XSS defenses like input sanitization and Content Security Policy.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) via crafted malicious URLs and facilitates theft of web session cookies through injected JavaScript execution (T1539).