Skip to main content

BEAF Gallery Plugin CVE-2025-15665

| EUVDEUVD-2025-210458 MEDIUM
2026-07-14 WPScan GHSA-h7cp-867p-67hq
5.4
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

Administrator-level WordPress access maps to PR:H; description explicitly names this role, making the provided PR:L appear to understate the privilege barrier.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 14, 2026 - 15:31 vuln.today
CVSS changed
Jul 14, 2026 - 13:22 NVD
5.4 (MEDIUM)
Patch available
Jul 14, 2026 - 11:17 EUVD
CVE Published
Jul 14, 2026 - 06:00 cve.org
MEDIUM 5.4
CVE Published
Jul 14, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The Ultimate Before After Image Slider & Gallery WordPress plugin before 4.7.1 does not escape the value of the BEAF Slider widget's shortcode field before outputting it on the front end (the value is passed through do_shortcode, which echoes non-shortcode content verbatim), allowing users with administrator-level access to store a script that executes in the browser of any visitor who loads a page displaying the widget.

AnalysisAI

Stored cross-site scripting in the Ultimate Before After Image Slider & Gallery WordPress plugin (all versions before 4.7.1) enables users with administrator-level access to plant persistent malicious scripts via the BEAF Slider widget's shortcode field, which then execute silently in the browsers of any site visitor loading a page displaying the widget. The plugin pipes the field value through WordPress's native do_shortcode() function without sanitizing or escaping the output, causing unrecognized content to be echoed verbatim to the rendered page. A publicly available proof-of-concept has been disclosed by WPScan; no active exploitation has been confirmed in the CISA Known Exploited Vulnerabilities catalog.

Technical ContextAI

The Ultimate Before After Image Slider & Gallery plugin exposes a BEAF Slider widget configurable via WordPress's shortcode or block editor interfaces. The underlying flaw is that the plugin passes the user-supplied shortcode field value directly through WordPress core's do_shortcode() function and then outputs its return value to the page without applying wp_kses, esc_html, or any equivalent output escaping. WordPress's do_shortcode() is designed to execute registered shortcode handlers and return their output; critically, content that does not match any registered shortcode tag is returned verbatim - making it an unsafe rendering path for untrusted input. This creates a persistent (stored) XSS sink. Although no CWE was formally assigned, the root cause maps squarely to CWE-79 (Improper Neutralization of Input During Web Page Generation). The affected CPE is cpe:2.3:a:unknown:ultimate_before_after_image_slider_&_gallery:*:*:*:*:*:*:*:*, covering all releases prior to 4.7.1.

RemediationAI

Update the Ultimate Before After Image Slider & Gallery WordPress plugin to version 4.7.1 or later, which is confirmed by WPScan to address the missing output escaping in the BEAF Slider widget's shortcode field rendering path. The advisory is available at https://wpscan.com/vulnerability/754f0960-efc8-426f-bb1d-7cceec920910/. If immediate patching is not feasible, restrict configuration of the BEAF Slider widget exclusively to fully trusted administrator accounts and audit all existing BEAF Slider widget instances for injected script payloads - check the shortcode field of every widget instance across all pages and posts. In WordPress multisite environments, consider temporarily disabling the plugin network-wide until the patch can be applied, as sub-site administrators represent a lower-trust population. Note that restricting widget access does not remove already-stored payloads; a manual audit of existing widget configurations is required as a compensating control.

Share

CVE-2025-15665 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy