CVE-2025-47449

Vulnerability

Details The Meow Gallery plugin for WordPress (versions up to and including 5.2.7) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during page generation [1]. This flaw is classified as CWE-79 and allows an attacker to store malicious scripts that execute when other users access the affected page.

Exploitation

Exploitation requires a privileged user (such as an editor or administrator) to interact with a crafted link, form, or page. Once triggered, the injected script is stored and executed in the context of the victim's browser [1]. No authentication is needed for the attacker, but the victim must be authenticated with sufficient privileges to trigger the stored payload.

Impact

Successful exploitation enables an attacker to perform actions like redirecting visitors to malicious sites, displaying unauthorized advertisements, or injecting arbitrary HTML and JavaScript. This can lead to defacement, data theft, or further compromise of the WordPress site [1].

Mitigation

The vulnerability has been patched in version 5.2.8 of the Meow Gallery plugin. Users are strongly advised to update immediately. For those using Patchstack, auto-update can be enabled to protect against this and similar vulnerabilities [1]. The CVSS score is 5.9 (Medium), indicating moderate severity with a low likelihood of exploitation in typical scenarios.