CVE-2025-28869

CVE-2025-28869 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the NextGEN Gallery Voting WordPress plugin (nextgen-gallery-voting) by shauno. The issue affects all versions from n/a through 2.7.6, allowing malicious input to be reflected and executed as script on affected web pages.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can exploit it by crafting payloads delivered via user-induced inputs, achieving arbitrary JavaScript execution in the victim's browser context due to the changed scope (S:C). This enables low-level impacts on confidentiality, integrity, and availability, such as stealing session cookies, defacing pages, or phishing within the site's domain.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/nextgen-gallery-voting/vulnerability/wordpress-nextgen-gallery-voting-plugin-2-7-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.