CVE-2025-15396

The Library Viewer WordPress plugin prior to version 3.2.0 contains a reflected cross-site scripting (XSS) vulnerability. The root cause is the lack of sanitization and escaping of certain parameters before they are output back in the page. This flaw allows an attacker to inject arbitrary JavaScript code that executes in the context of a visitor's browser session [1].

Exploitation requires tricking a user, ideally a high-privilege user such as an administrator, into clicking a specially crafted link. The malicious input is reflected immediately, making the attack straightforward to execute without any authentication on the attacker's part, aside from social engineering [1].

Successful exploitation can lead to the execution of arbitrary web scripts in the context of the target's session. This could enable an attacker to perform actions on behalf of the administrator, such as creating new admin accounts, modifying plugins, or exfiltrating sensitive data. The vulnerability is classified as High severity (CVSS 7.1) due to the potential impact on confidentiality, integrity, and availability [1].

Users are strongly advised to update the Library Viewer plugin to version 3.2.0 or later, which contains the necessary fixes to sanitize output and prevent the XSS vector. No workarounds have been disclosed, and the vendor has addressed the issue in the latest release [1].