CVE-2025-63052

MEDIUM
2025-12-09 [email protected]
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 6.5

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Stored XSS.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.1.

Analysis

Stored cross-site scripting (XSS) in SimpLy Gallery WordPress plugin (versions up to 3.3.2.1) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially leading to session hijacking, credential theft, or site defacement. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.

Technical Context

This vulnerability is a Stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the SimpLy Gallery WordPress plugin, which extends WordPress's gallery functionality through the simply-gallery-block component. The plugin fails to properly sanitize and escape user-supplied input when generating web pages, allowing authenticated users with limited privileges (PR:L per CVSS vector) to store malicious JavaScript payloads. When other users or administrators view the affected gallery content, the unescaped payload executes in their browsers within the same site context (scope change: S:C), compromising the confidentiality, integrity, and availability of page content. The vulnerability is accessible over the network (AV:N) with low attack complexity (AC:L), requiring only basic knowledge of XSS payload construction.

Affected Products

SimpLy Gallery WordPress plugin (simply-gallery-block) versions from initial release through 3.3.2.1 are affected. The vendor advisory from Patchstack identifies the vulnerability affecting SimpLy Gallery plugin for WordPress, with specific version tracking available at https://patchstack.com/database/Wordpress/Plugin/simply-gallery-block/vulnerability/wordpress-simply-gallery-plugin-3-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve.

Remediation

Update SimpLy Gallery plugin to a version newer than 3.3.2.1 to obtain the security patch. Site administrators should verify plugin updates in the WordPress admin dashboard under Plugins > Updates and apply the latest available version. As a temporary workaround pending patching, restrict the ability to create or edit gallery content to trusted administrators only by managing WordPress user roles and capabilities (e.g., limiting 'contributor' or 'editor' roles from accessing the gallery block editor). Review published gallery pages for any suspicious or unusual content that may indicate prior exploitation. For detailed patching guidance and vulnerability confirmation, consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/simply-gallery-block/vulnerability/wordpress-simply-gallery-plugin-3-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve.

Priority Score

33
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Share

CVE-2025-63052 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy