CVE-2025-63052

Vulnerability

Overview

CVE-2025-63052 is a stored cross-site scripting (XSS) vulnerability in the WordPress SimpLy Gallery plugin (simply-gallery-block), affecting versions from n/a through 3.3.2.1. The root cause is improper neutralization of user input during web page generation, allowing attackers to inject arbitrary HTML and JavaScript into the gallery block [1].

Exploitation

Exploitation requires a privileged user (e.g., editor or admin) to perform an action such as clicking a malicious link or submitting a crafted form. Once the injected script is stored, it executes when any visitor loads the affected page. The vulnerability is classified as medium severity with a CVSS v3 score of 6.5, and user interaction is required user interaction is needed for initial injection [1].

Impact

Successful exploitation allows an attacker to inject malicious scripts that can redirect visitors, display advertisements, or deliver other HTML payloads. This can lead to defacement, phishing, or further compromise of the site and its users [1].".

Mitigation

The vendor has released version 3.3.2.2 which resolves the issue. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. No workaround is available [1].