Skip to main content

Parakoos Image Wall CVE-2025-48156

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-07-16 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:42 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Parakoos Image Wall image-wall allows Stored XSS.This issue affects Image Wall: from n/a through <= 3.1.

AnalysisAI

Stored XSS in Parakoos Image Wall WordPress plugin through version 3.1 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising admin accounts or stealing session data. The vulnerability resides in improper input sanitization during web page generation, affecting a plugin with low real-world exploitation probability (EPSS 0.04%) but representing a functional security flaw in plugin logic.

Technical ContextAI

The vulnerability is a Stored Cross-Site Scripting (CWE-79) flaw in the Parakoos Image Wall WordPress plugin, a tool for displaying image galleries. WordPress plugins operate within the wp-admin and frontend contexts with direct access to user-supplied content (image metadata, captions, descriptions). The plugin fails to properly neutralize user input before rendering it in web pages, allowing an attacker to embed executable JavaScript that persists in the WordPress database. When other users (especially administrators) view the affected content, their browsers execute the attacker's script with their privileges, potentially granting access to sensitive WordPress functions.

Affected ProductsAI

Parakoos Image Wall WordPress plugin version 3.1 and all earlier versions are affected. The plugin is identified by its presence in WordPress plugin repositories and CVE references point to vulnerability details at Patchstack's WordPress plugin vulnerability database. Exact CPE designation for WordPress plugins is typically wp-plugin:parakoos:image-wall, with affected version range from inception through 3.1 inclusive.

RemediationAI

Update the Parakoos Image Wall plugin to a version newer than 3.1 immediately upon availability. Consult the official plugin repository or Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/image-wall/vulnerability/wordpress-image-wall-plugin-3-1-cross-site-scripting-xss-vulnerability for patched version details and download links. As an interim workaround before patching, restrict plugin access to trusted administrators only via WordPress user role management, and regularly audit stored image metadata and descriptions for suspicious script tags. Remove any content containing <script>, javascript:, or other XSS payloads from affected galleries until the plugin is updated.

Share

CVE-2025-48156 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy