VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Apr 12, 2025· Updated Apr 15, 2026

CVE-2025-2269

CVE-2025-2269

Description

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘image_id’ parameter in all versions up to, and including, 1.8.34 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Photo Gallery by 10Web plugin for WordPress <=1.8.34 is vulnerable to Reflected XSS via the 'image_id' parameter, allowing unauthenticated attackers to trick admins into executing malicious scripts.

Vulnerability

The Photo Gallery by 10Web plugin for WordPress suffers from a Reflected Cross-Site Scripting vulnerability in all versions up to and including 1.8.34. The flaw resides in the Editimage.php view where the image_id parameter is retrieved via WDWLibrary::get('image_id','0') without proper input sanitization or output escaping [1]. An attacker can inject arbitrary HTML/JavaScript through this parameter.

Exploitation

An unauthenticated attacker can craft a malicious URL with a payload in the image_id parameter. The attack requires social engineering to trick an administrative user (e.g., site administrator) into clicking the link. No additional privileges or authentication are needed.

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts in the context of the victim's browser session. This can lead to session hijacking, site defacement, or further compromise of the WordPress installation, depending on the admin's privileges.

Mitigation

As of the publication date (2025-04-12), no patched version has been released. Users should update to a future version beyond 1.8.34 once available. In the interim, exercise caution by not clicking untrusted links that lead to the plugin's admin pages.

References
  1. https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.34/admin/views/Editimage.php#L39

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.