CVE-2025-28918

Vulnerability

Overview The thumbnail-grid plugin for WordPress, versions up to 6.8, suffers from a Stored Cross-Site Scripting (XSS) vulnerability. This is caused by improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be permanently stored on the server [1]. The flaw is classified as CVE-2025-28918 and carries a CVSS v3 score of 6.5 (Medium) [1].

Exploitation

Requirements Exploitation requires a privileged user account — such as an editor or administrator — to inject the payload via the plugin's input fields. No direct network-level access is needed, and user interaction from the victim is not required for initial storage; however, a subsequent page visit by any user will trigger execution. According to the advisory, similar vulnerabilities are commonly used in mass-exploit campaigns targeting thousands of WordPress sites simultaneously [1].

Impact

If successfully exploited, an attacker can inject arbitrary JavaScript, HTML, or other script content into the website. This can lead to redirects, unauthorized advertisements, data theft, or defacement — any action that JavaScript can perform within the context of the victim's browser. The stored payload executes each time a visitor loads the affected page, enabling persistent, wide-reaching attacks [1].

Mitigation

The vulnerability has been patched in version 6.9 of the Featured Image Thumbnail Grid plugin. Users are strongly advised to update to 6.9 or later immediately. For sites where an update is not possible, the reference suggests contacting a hosting provider or web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins to streamline protection [1].