Skip to main content

SW Plus CVE-2025-25108

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shalomworld SW Plus allows Reflected XSS. This issue affects SW Plus: from n/a through 2.1.

AnalysisAI

Reflected cross-site scripting in SW Plus WordPress plugin through version 2.1 allows remote attackers to inject malicious scripts into web pages viewed by other users. Attack requires user interaction (victim must click a malicious link) but needs no authentication. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, consistent with typical reflected XSS patterns requiring social engineering. Patchstack database lists this as a confirmed vulnerability with dedicated entry, though no public exploit code or CISA KEV listing exists at time of analysis.

Technical ContextAI

This is a CWE-79 Cross-Site Scripting vulnerability in the SW Plus WordPress plugin (Shalom World Media Gallery), a media management plugin for WordPress. Reflected XSS occurs when user-supplied input is immediately returned in HTTP responses without proper sanitization or output encoding. The CVSS vector indicates network-based delivery (AV:N) with low attack complexity (AC:L), suggesting the vulnerable parameter is easily accessible via URL or form input. The Changed scope (S:C) indicates the malicious script executes in the victim's browser context, potentially accessing cookies, session tokens, or performing actions as the authenticated user across the WordPress site domain. WordPress plugins commonly suffer from reflected XSS when processing GET/POST parameters for search, filters, or media gallery navigation without applying wp_kses() or esc_html() sanitization functions.

Affected ProductsAI

SW Plus (also known as Shalom World Media Gallery) WordPress plugin versions up to and including 2.1 are confirmed vulnerable per Patchstack database entry. The vulnerability report indicates all versions from inception through 2.1 contain the reflected XSS flaw. No specific platform requirements beyond WordPress installation are documented. Vendor advisory and patch information available at https://patchstack.com/database/wordpress/plugin/shalom-world-media-gallery/vulnerability/wordpress-sw-plus-plugin-2-1-reflected-cross-site-scripting-xss-vulnerability.

RemediationAI

Upgrade SW Plus WordPress plugin to a version newer than 2.1 if available - consult the WordPress plugin repository or Patchstack advisory at https://patchstack.com/database/wordpress/plugin/shalom-world-media-gallery/vulnerability/wordpress-sw-plus-plugin-2-1-reflected-cross-site-scripting-xss-vulnerability for the specific patched release. If immediate upgrade is not feasible, implement compensating controls: (1) Deploy Content Security Policy headers with script-src 'self' directive to prevent execution of injected scripts (may break legitimate inline JavaScript in WordPress admin or themes - test thoroughly in staging), (2) Restrict plugin access to trusted administrator accounts only via WordPress capability management, (3) Implement Web Application Firewall rules to detect and block common XSS payloads in URL parameters associated with the media gallery plugin (may cause false positives on legitimate media filenames containing special characters), (4) Disable the SW Plus plugin entirely if media gallery functionality is not actively required. Monitor WordPress access logs for suspicious parameters containing script tags, event handlers, or encoded JavaScript in requests to plugin endpoints.

Share

CVE-2025-25108 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy