PHP CVE-2025-48156

Cross-site Scripting (XSS) (CWE-79)
2025-07-16 [email protected]
XSS PHP

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Parakoos Image Wall image-wall allows Stored XSS.This issue affects Image Wall: from n/a through <= 3.1.

AnalysisAI

Stored XSS in Parakoos Image Wall WordPress plugin through version 3.1 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising admin accounts or stealing session data. The vulnerability resides in improper input sanitization during web page generation, affecting a plugin with low real-world exploitation probability (EPSS 0.04%) but representing a functional security flaw in plugin logic.

Technical ContextAI

The vulnerability is a Stored Cross-Site Scripting (CWE-79) flaw in the Parakoos Image Wall WordPress plugin, a tool for displaying image galleries. WordPress plugins operate within the wp-admin and frontend contexts with direct access to user-supplied content (image metadata, captions, descriptions). The plugin fails to properly neutralize user input before rendering it in web pages, allowing an attacker to embed executable JavaScript that persists in the WordPress database. When other users (especially administrators) view the affected content, their browsers execute the attacker's script with their privileges, potentially granting access to sensitive WordPress functions.

Affected ProductsAI

Parakoos Image Wall WordPress plugin version 3.1 and all earlier versions are affected. The plugin is identified by its presence in WordPress plugin repositories and CVE references point to vulnerability details at Patchstack's WordPress plugin vulnerability database. Exact CPE designation for WordPress plugins is typically wp-plugin:parakoos:image-wall, with affected version range from inception through 3.1 inclusive.

RemediationAI

Update the Parakoos Image Wall plugin to a version newer than 3.1 immediately upon availability. Consult the official plugin repository or Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/image-wall/vulnerability/wordpress-image-wall-plugin-3-1-cross-site-scripting-xss-vulnerability for patched version details and download links. As an interim workaround before patching, restrict plugin access to trusted administrators only via WordPress user role management, and regularly audit stored image metadata and descriptions for suspicious script tags. Remove any content containing <script>, javascript:, or other XSS payloads from affected galleries until the plugin is updated.

Share

CVE-2025-48156 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy