CVE-2024-49695

Vulnerability

A Stored Cross-Site Scripting (XSS) vulnerability exists in WP Flow Plus (plugin slug wp-imageflow2) for WordPress, version 5.2.3 and earlier [1]. The plugin fails to properly neutralize user-supplied input during web page generation. Specifically, unsanitized image metadata (or other input fields) could allow injection of malicious script code. The vulnerability is present in all versions from n/a through 5.2.3 inclusive.

Exploitation

An attacker must have WordPress contributor-level access or higher to add or modify media items (or any role that can supply data processed by the plugin). By crafting a media item or shortcode parameter containing JavaScript payloads, the attacker can store the malicious input. When other users (including administrators) view the page containing the gallery, the payload executes in their browsers. No direct network-level position is required beyond authenticated web access.

Impact

Successful exploitation results in Stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This could lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack requires the victim to visit a page that uses the vulnerable plugin to display a gallery.

Mitigation

The vendor released version 5.2.6 on August 26, 2025, which includes a fix: "Security: sanitize image…" [1]. Users should update to version 5.2.6 or later immediately. No other workaround is provided in the available references. Versions 5.2.4 and 5.2.5 likely also contain the fix, but the changelog explicitly marks 5.2.6 as the security release.