Skip to main content

Album Reviewer CVE-2025-25070

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:34 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Album Reviewer allows Stored XSS. This issue affects Album Reviewer: from n/a through 2.0.2.

AnalysisAI

Stored cross-site scripting (XSS) in Album Reviewer WordPress plugin versions up to 2.0.2 allows remote unauthenticated attackers to inject malicious JavaScript into album review content that executes when other users view the compromised pages. The vulnerability enables session hijacking, credential theft, and malicious actions performed in the context of victim users, with cross-site scope allowing attacks beyond the vulnerable component's security boundary. EPSS score of 0.15% (36th percentile) indicates relatively low automated exploitation probability, and no active exploitation is documented in CISA KEV at time of analysis.

Technical ContextAI

This is a classic stored (persistent) XSS vulnerability classified under CWE-79: Improper Neutralization of Input During Web Page Generation. The Album Reviewer WordPress plugin fails to properly sanitize user-supplied input when processing album review submissions, allowing HTML and JavaScript injection. Unlike reflected XSS, the malicious payload is stored in the WordPress database and executes whenever the compromised content is rendered, making it particularly dangerous for multi-user environments. The CVSS scope change metric (S:C) indicates the vulnerability can affect resources beyond the plugin's security context, typical when injected scripts access WordPress session cookies or interact with other site components. WordPress plugins commonly suffer from XSS when developers use functions like echo or print with unsanitized POST/GET data instead of properly escaping output with esc_html(), esc_attr(), or wp_kses().

Affected ProductsAI

WordPress Album Reviewer plugin versions from unknown starting point through version 2.0.2 are confirmed vulnerable per Patchstack database advisory. The plugin is developed by NotFound and available through the WordPress.org plugin repository. Specific CPE identifiers are not provided in available data. Organizations should check installed plugin versions through WordPress admin dashboard under Plugins section or by examining wp-content/plugins/albumreviewer/ directory for version metadata.

RemediationAI

Update Album Reviewer plugin to a patched version newer than 2.0.2 if available. Check the WordPress plugin repository at wordpress.org/plugins/albumreviewer/ or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/albumreviewer/vulnerability/wordpress-album-reviewer-plugin-2-0-2-cross-site-scripting-xss-vulnerability for current release information. If no patched version exists, implement compensating controls: restrict album submission capabilities to trusted authenticated users only by modifying WordPress role capabilities; implement Web Application Firewall (WAF) rules to detect and block common XSS patterns in POST requests to album review endpoints (may cause false positives with legitimate HTML-like content); consider temporarily disabling the plugin and removing public-facing album review functionality until patches are available (breaks site feature but eliminates attack vector). For high-value targets, manually review existing album review database entries for suspicious JavaScript patterns like <script>, onerror=, onclick= and sanitize stored content, though this does not prevent new injections and requires technical WordPress database expertise.

Share

CVE-2025-25070 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy