CVE-2025-8400

Vulnerability

Overview The Image Gallery plugin for WordPress (versions up to and including 1.0.0) suffers from a Reflected Cross-Site Scripting (XSS) vulnerability. The root cause is insufficient input sanitization and output escaping in the plugin's code. Specifically, in file includes/bee-quick-gallery-functions.php, user-controlled values like image title and caption are echoed directly into the page without proper escaping, enabling script injection [2].

Exploitation

Scenario An unauthenticated attacker can craft a malicious URL containing a payload in a parameter that the plugin reflects. Because no authentication is required to trigger the reflection, the attacker only needs to trick a victim into clicking the crafted link. The payload then executes in the victim's browser within the context of the vulnerable WordPress site.

Impact

The attacker can perform actions on behalf of the victim, such as stealing session cookies, defacing the site, or redirecting users to malicious domains. Given the Medium CVSS score (6.1) and the lack of authentication requirements, this vulnerability poses a realistic phishing and social engineering risk.

Mitigation

Status The plugin has been closed as of July 31, 2025, due to a security issue, and is no longer available for download [1]. Users who have installed version 1.0.0 or earlier should immediately remove or disable the plugin. No official patch exists because the plugin has been shut down; a workaround is to delete the plugin from all WordPress installations.