CVE-2025-12672

The Flickr Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.5. The vulnerability exists because the plugin fails to properly sanitize the 'div_height' parameter of the 'flickrshow' shortcode and does not escape output, allowing malicious script injection [1].

An attacker must have at least Contributor-level access to the WordPress site to exploit this flaw. By crafting a shortcode with a malicious 'div_height' value, the attacker can inject arbitrary web scripts into a page or post. The injected script will execute whenever any user views the compromised page [1].

Successful exploitation enables the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, or defacing the site. The impact is limited to the context of the affected WordPress instance, but can compromise the integrity and confidentiality of user interactions [1].

The plugin has been closed as of November 7, 2025, due to this security issue and is no longer available for download. Users should remove the plugin from their WordPress installations and consider alternative solutions [1].