Reflected Cross-Site Scripting in Photo Gallery by 10Web Plugin for WordPress
CVE-2025-2269

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Photo Gallery By 10web – Mobile-friendly Image Gallery
Vendor: CVE Published:; 12 April 2025

What is CVE-2025-2269?

The Photo Gallery by 10Web plugin for WordPress is susceptible to a reflected cross-site scripting vulnerability via the 'image_id' parameter. This flaw arises due to inadequate input sanitization and output escaping, creating an opportunity for unauthenticated attackers to inject malicious scripts. Such scripts are executed within the context of the user's session if an administrative user is tricked into performing an action, such as clicking a crafted link. This poses potential risks to website integrity and user security.

Affected Version(s)

Photo Gallery by 10Web – Mobile-Friendly Image Gallery * <= 1.8.34

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/photo-gallery/...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 12, 2025