CVE-2025-67538
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews Gallery jnews-gallery allows Stored XSS.This issue affects JNews Gallery: from n/a through < 12.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in WordPress JNews Gallery plugin before 12.0.1 allows authenticated attackers to inject malicious scripts.
The vulnerability is a stored Cross-Site Scripting (XSS) due to improper neutralization of user input during web page generation in the JNews Gallery plugin for WordPress [1]. This affects versions from n/a through 12.0.0.
Exploitation requires a privileged user (e.g., administrator) to perform an action such as clicking a malicious link or submitting a crafted form. The injected script is stored on the server and executed when other users visit the affected page [1].
An attacker can inject arbitrary HTML and JavaScript, leading to redirects, advertisements, or other payloads that execute in visitors' browsers. This can compromise site integrity and user trust [1].
The issue is fixed in version 12.0.1. Users are advised to update immediately. While the CVSS score is 6.5 (Medium), this vulnerability is known to be used in mass-exploit campaigns, making timely patching critical [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: < 12.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.