CVE-2025-27004

Vulnerability

Overview The vulnerability is a reflected cross-site scripting (XSS) issue in the Famous - Responsive Image And Video Grid Gallery WordPress plugin, versions 1.4 and below. The root cause is improper neutralization of user input during web page generation, allowing injection of arbitrary HTML and JavaScript. This affects all installations of the plugin up to and including version 1.4 [1].

Exploitation

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. The attack does not require authentication, meaning an unauthenticated attacker can trigger the XSS payload if a privileged user (e.g., an admin) performs the action. This makes it viable for mass exploitation campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an attacker to inject malicious scripts, which can execute in the context of a visitor's browser. Potential impacts include redirecting users to malicious sites, displaying unauthorized advertisements, stealing session cookies, or performing other actions on behalf of the victim user [1].

Mitigation

No official patch has been released at the time of publication. Patchstack has issued a mitigation rule to block attacks until an official patch becomes available. Users are advised to update the plugin immediately once a patch is released or apply the mitigation rule. If unable to update, consult with a web developer for assistance [1].