CVE-2025-23478

Vulnerability

Overview CVE-2025-23478 is a reflected cross-site scripting (XSS) vulnerability in the WordPress Photo Video Store plugin (versions through 21.07). The issue stems from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into a response.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link that, when clicked by a privileged user (e.g., an administrator), triggers the XSS payload. No authentication is required to initiate the attack, but successful exploitation depends on the target user performing an action such as clicking the link or visiting a crafted page [1].

Impact

If exploited, the attacker gains the ability to execute malicious scripts in the context of the victim's browser. This can lead to actions such as redirecting visitors to malicious sites, injecting advertisements, or stealing sensitive data. The CVSS score of 7.1 (High) and its presence in mass-exploit campaigns highlight the real-world risk [1].

Mitigation

As of the publication date, an official patch may not be available. Users are advised to immediately update the plugin if a patched version is released. In the meantime, security solutions like Patchstack offer a virtual mitigation rule to block attacks until a proper fix can be applied [1].