Skip to main content

Ultimate Before After Image Slider Gallery

1 CVEs product

Monthly

CVE-2025-15665 MEDIUM POC PATCH This Month

Stored cross-site scripting in the Ultimate Before After Image Slider & Gallery WordPress plugin (all versions before 4.7.1) enables users with administrator-level access to plant persistent malicious scripts via the BEAF Slider widget's shortcode field, which then execute silently in the browsers of any site visitor loading a page displaying the widget. The plugin pipes the field value through WordPress's native do_shortcode() function without sanitizing or escaping the output, causing unrecognized content to be echoed verbatim to the rendered page. A publicly available proof-of-concept has been disclosed by WPScan; no active exploitation has been confirmed in the CISA Known Exploited Vulnerabilities catalog.

WordPress Information Disclosure Ultimate Before After Image Slider Gallery
NVD WPScan
CVSS 3.1
5.4
EPSS
0.2%
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored cross-site scripting in the Ultimate Before After Image Slider & Gallery WordPress plugin (all versions before 4.7.1) enables users with administrator-level access to plant persistent malicious scripts via the BEAF Slider widget's shortcode field, which then execute silently in the browsers of any site visitor loading a page displaying the widget. The plugin pipes the field value through WordPress's native do_shortcode() function without sanitizing or escaping the output, causing unrecognized content to be echoed verbatim to the rendered page. A publicly available proof-of-concept has been disclosed by WPScan; no active exploitation has been confirmed in the CISA Known Exploited Vulnerabilities catalog.

WordPress Information Disclosure Ultimate Before After Image Slider Gallery
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy