CVE-2025-47521

Vulnerability

Overview The Robo Gallery plugin for WordPress, versions 5.0.2 and earlier, contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows input containing malicious scripts to be persisted in the application's database and later executed when other users view affected pages.

Exploitation

Details Exploitation requires a user with the necessary WordPress role (such as Contributor or Author) to submit crafted input through a form or gallery configuration field [1]. No direct user interaction from a victim is needed beyond viewing the compromised page, but the attacker must have the ability to save content that will be rendered without proper sanitization. This makes the attack viable for spreading malicious payloads across a site's galleries.

Impact

If successfully exploited, an attacker can inject arbitrary JavaScript, HTML, or other client-side payloads [1]. This could lead to session hijacking, redirection to malicious sites, defacement, or theft of sensitive information from site visitors. The vulnerability has a CVSS v3 base score of 5.9 (Medium) and is noted as potentially used in mass-exploit campaigns against numerous WordPress sites [1].

Mitigation

The vendor has released version 5.0.3 which fixes the issue [1]. Users are strongly advised to update the plugin immediately. For sites that cannot be updated immediately, applying a Web Application Firewall (WAF) rule that filters XSS patterns or temporarily disabling the plugin are interim mitigations.