CVE-2025-23441
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dkukral Attach Gallery Posts attach-gallery-posts allows Reflected XSS.This issue affects Attach Gallery Posts: from n/a through <= 1.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS vulnerability in WordPress Attach Gallery Posts plugin allows attackers to inject malicious scripts via crafted links, affecting all versions up to 1.6.
The Attach Gallery Posts plugin for WordPress (versions up to 1.6) contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into the response of a vulnerable page.
Exploitation requires user interaction, such as a privileged user clicking a malicious link or visiting a crafted page [1]. The attack does not require authentication beyond the victim's session, making it suitable for mass exploitation campaigns targeting thousands of WordPress sites.
Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser, leading to potential actions like redirecting users to malicious sites, displaying advertisements, or stealing sensitive information [1]. The CVSS v3 base score is 7.1 (High), indicating significant risk.
As of the advisory, no official patch has been released; however, Patchstack provides a mitigation rule to block attacks until an update can be applied [1]. Users are urged to update the plugin or implement the mitigation as soon as possible.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.