CVE-2025-25070

Vulnerability

Description

An Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability exists in the Album Reviewer WordPress plugin, version 2.0.2 and earlier. The flaw allows a user with sufficient privileges to inject arbitrary web scripts or HTML into pages, which are then stored and executed when other users — particularly site visitors — access the affected page. The root cause is insufficient input sanitization or output escaping in the plugin's handling of user-supplied data [1].

Exploitation

Requirements

Exploitation requires a privileged user role (such as an author or editor) to perform an action, such as submitting a form or interacting with a crafted input. However, the attack does not require a high level of skill, and the vulnerability is considered moderately dangerous as it is likely to be targeted in mass-exploit campaigns [1]. Attackers often chain such vulnerabilities to compromise thousands of websites regardless of traffic size or popularity.

Impact

A successful attack enables the attacker to inject malicious scripts — for example, redirect scripts, advertisements, or other HTML payloads — into the vulnerable website. When a site visitor views the compromised page, the injected script executes in their browser. This can lead to data theft, session hijacking, defacement, or forced redirection to malicious sites. The CVSS v3 base score is 7.1 (High), reflecting the potential for significant harm to both the site and its visitors [1].

Mitigation and

Patching

Users are strongly advised to update the Album Reviewer plugin to a patched version as soon as it becomes available. As an immediate workaround, Patchstack has issued a mitigation rule to block attacks until an official patch can be applied [1]. Website administrators who cannot update should contact their hosting provider or a web security professional for assistance.