CVE-2025-48349

Vulnerability

Overview

The Video Gallery – Vimeo and YouTube Gallery plugin (smart-grid-gallery) for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. The flaw affects all versions up to and including 1.1.7. An authenticated attacker with contributor privileges or higher can inject arbitrary HTML and JavaScript into gallery content, which is then stored on the server and executed in the browsers of other users when they view the affected pages [1].

Exploitation

Requirements

Exploitation requires a WordPress user account with at least contributor-level permissions to create or edit gallery items. No unusual network access is needed; the attack is carried out through the plugin's administrative interface. The injected payload becomes persistent, meaning every visitor to the page—including site administrators and end-users—will execute the script. User interaction is required only in the sense that a victim must visit the infected page; no additional clicks or form submissions are needed [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can be used to steal session cookies, deface the website, redirect visitors to malicious sites, or inject advertisements and phishing overlays. Because it is stored, the attack can propagate to many users over time, making it suitable for mass-exploitation campaigns targeting thousands of WordPress sites [1].

Mitigation

The vendor has not released a patched version as of the publication date. Users should immediately update the plugin if a security update becomes available, or disable the plugin until a fix is applied. Site administrators can also restrict contributor-level permissions and review gallery content for suspicious code as a temporary workaround [1].