CVE-2025-23705
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry Zielke Zielke Design Project Gallery zielke-design-project-gallery allows Reflected XSS.This issue affects Zielke Design Project Gallery: from n/a through <= 2.5.0.
Analysis
Reflected Cross-Site Scripting (XSS) in Zielke Design Project Gallery WordPress plugin through version 2.5.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through crafted URLs. No public exploit code or active exploitation has been confirmed at time of analysis, but the low EPSS score (0.04%, 14th percentile) suggests minimal real-world exploitation activity despite the vulnerability's presence in a widely-deployed WordPress plugin.
Technical Context
This is a Reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) affecting the Zielke Design Project Gallery plugin for WordPress. The vulnerability exists because the plugin fails to properly sanitize or encode user-supplied input before rendering it in HTTP responses. Unlike Stored XSS, Reflected XSS requires the victim to click a malicious link containing the payload; the attacker cannot inject persistent malicious content into the application itself. The vulnerability affects all versions up to and including 2.5.0, indicating the plugin's input validation and output encoding mechanisms have not been adequately implemented across affected codebases.
Affected Products
The vulnerability affects Zielke Design Project Gallery WordPress plugin in all versions from the earliest release through version 2.5.0 (CPE details for WordPress plugins typically include vendor, product, and version ranges). The plugin is distributed via the WordPress plugin repository and is installed directly into WordPress sites. No CPE string was provided in the input data, but affected users can identify impacted installations by checking the plugin version in WordPress administration panels or via the WordPress.org plugin directory at wordpress.org/plugins/zielke-design-project-gallery/.
Remediation
Update the Zielke Design Project Gallery plugin to a patched version released after 2.5.0 via the WordPress plugin dashboard (Plugins > Installed Plugins > Zielke Design Project Gallery > Update) or download the latest version from wordpress.org/plugins/zielke-design-project-gallery/. As an interim workaround prior to patching, site administrators should limit plugin functionality exposure, restrict access to plugin-generated pages if possible, and educate users not to click suspicious links pointing to the site. The vulnerability details and remediation guidance are available via the Patchstack vulnerability database entry referenced in the advisory. No specific patched version number was provided in available data; administrators should upgrade to the latest available release.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today