Skip to main content

Foogallery EUVDEUVD-2025-21116

| CVE-2025-6068 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-07-11 security@wordfence.com
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 08:17 euvd
EUVD-2025-21116
Analysis Generated
Mar 16, 2026 - 08:17 vuln.today
CVE Published
Jul 11, 2025 - 08:15 nvd
MEDIUM 6.4

DescriptionCVE.org

The FooGallery - Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-caption-title & data-caption-description HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Analysis

The FooGallery - Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-caption-title & data-caption-description HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

CVE-2023-29439 MEDIUM POC
6.1 May 16

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at

CVE-2024-2762 MEDIUM POC
5.4 Jun 13

The FooGallery WordPress plugin before 2.4.15, foogallery-premium WordPress plugin before 2.4.15 does not validate and e

CVE-2021-24357 MEDIUM POC
5.4 Jun 14

In the Best Image Gallery & Responsive Photo Gallery - FooGallery WordPress plugin before 2.0.35, the Custom CSS field o

CVE-2023-44233 HIGH
8.8 Oct 06

Cross-Site Request Forgery (CSRF) vulnerability in FooPlugins Best WordPress Gallery Plugin - FooGallery plugin <= 2.2.4

CVE-2024-0604 MEDIUM POC
4.4 Feb 29

The Best WordPress Gallery Plugin - FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via adm

CVE-2024-2122 MEDIUM
6.4 Jun 14

The Best WordPress Gallery Plugin - FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via alb

CVE-2024-2081 MEDIUM
6.4 Apr 09

The Best WordPress Gallery Plugin - FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

CVE-2024-2471 MEDIUM
6.4 Apr 06

The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image attachment fields (such as 'T

CVE-2024-12119 MEDIUM
6.4 Mar 08

The FooGallery - Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerabl

CVE-2023-44244 MEDIUM
6.1 Oct 02

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at

CVE-2024-12114 MEDIUM
4.3 Mar 08

The FooGallery - Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerabl

Share

EUVD-2025-21116 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy