Unauthenticated Stored-XSS in Photo Gallery by 10Web Plugin for WordPress
CVE-2025-0613

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Photo Gallery By 10web
Vendor: CVE Published:; 31 March 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Photo Gallery by 10Web WordPress plugin prior to version 1.8.34 exposes a critical security flaw that allows unauthenticated users to inject malicious comments on images. When these comments are displayed, they can lead to an Unauthenticated Stored-XSS attack, compromising the integrity of the web application. This vulnerability underscores the importance of input sanitization and escaping user-generated content to protect against potential exploits.

Affected Version(s)

Photo Gallery by 10Web 0 < 1.8.34

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-0613 - Proof of Concept

References

https://wpscan.com/vulnerability/22be2b44-cd42-4b02-8448-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

🟡
Public PoC available
Mar 31, 2025
👾
Exploit known to exist
Mar 31, 2025
Vulnerability published
Mar 31, 2025
Vulnerability Reserved
Jan 21, 2025

Credit

Matthew Rollings

WPScan