CVE-2025-62910

Vulnerability

Overview The Video Gallery by Huzzaz plugin for WordPress (versions up to and including 10.5) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This allows attackers to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users access the affected pages [1].

Attack

Vector and Prerequisites Exploitation requires a user with at least contributor-level privileges or higher to submit malicious input through the plugin's gallery creation or media upload features. The injected script is then stored and executed in the context of the victim's browser when they view the gallery pages. No authentication is needed from the victim, but the attacker must have valid credentials with sufficient permissions [1].

Impact

Successful exploitation can lead to various malicious activities, including redirection to phishing sites, theft of sensitive session cookies, defacement of website content, or distribution of malware. The vulnerability is particularly concerning as it can be used in mass exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

Users are strongly advised to update the Video Gallery by Huzzaz plugin to version 10.5.1 or later, which patches the vulnerability. If updating is not immediately possible, consider disabling the plugin or restricting contributor-level accounts until the patch is applied [1].