Skip to main content

Terry Zielke Zielke Design Project Gallery CVE-2025-23705

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 16:39 vuln.today
CVE Published
Dec 31, 2025 - 20:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry Zielke Zielke Design Project Gallery zielke-design-project-gallery allows Reflected XSS.This issue affects Zielke Design Project Gallery: from n/a through <= 2.5.0.

AnalysisAI

Reflected Cross-Site Scripting (XSS) in Zielke Design Project Gallery WordPress plugin through version 2.5.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through crafted URLs. No public exploit code or active exploitation has been confirmed at time of analysis, but the low EPSS score (0.04%, 14th percentile) suggests minimal real-world exploitation activity despite the vulnerability's presence in a widely-deployed WordPress plugin.

Technical ContextAI

This is a Reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) affecting the Zielke Design Project Gallery plugin for WordPress. The vulnerability exists because the plugin fails to properly sanitize or encode user-supplied input before rendering it in HTTP responses. Unlike Stored XSS, Reflected XSS requires the victim to click a malicious link containing the payload; the attacker cannot inject persistent malicious content into the application itself. The vulnerability affects all versions up to and including 2.5.0, indicating the plugin's input validation and output encoding mechanisms have not been adequately implemented across affected codebases.

Affected ProductsAI

The vulnerability affects Zielke Design Project Gallery WordPress plugin in all versions from the earliest release through version 2.5.0 (CPE details for WordPress plugins typically include vendor, product, and version ranges). The plugin is distributed via the WordPress plugin repository and is installed directly into WordPress sites. No CPE string was provided in the input data, but affected users can identify impacted installations by checking the plugin version in WordPress administration panels or via the WordPress.org plugin directory at wordpress.org/plugins/zielke-design-project-gallery/.

RemediationAI

Update the Zielke Design Project Gallery plugin to a patched version released after 2.5.0 via the WordPress plugin dashboard (Plugins > Installed Plugins > Zielke Design Project Gallery > Update) or download the latest version from wordpress.org/plugins/zielke-design-project-gallery/. As an interim workaround prior to patching, site administrators should limit plugin functionality exposure, restrict access to plugin-generated pages if possible, and educate users not to click suspicious links pointing to the site. The vulnerability details and remediation guidance are available via the Patchstack vulnerability database entry referenced in the advisory. No specific patched version number was provided in available data; administrators should upgrade to the latest available release.

Share

CVE-2025-23705 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy