CVE-2025-23478 Overview
CVE-2025-23478 is a reflected Cross-Site Scripting (XSS) vulnerability in the cmsaccount Photo Video Store plugin for WordPress. The flaw affects all plugin versions up to and including 21.07. The plugin fails to properly neutralize user-supplied input during web page generation, allowing attackers to inject malicious scripts that execute in a victim's browser session. The issue is tracked under CWE-79 and was published to the National Vulnerability Database (NVD) on March 3, 2025.
Critical Impact
An unauthenticated attacker can craft a malicious URL that, when visited by an authenticated user, executes arbitrary JavaScript in the victim's browser context — enabling session theft, credential harvesting, and administrative action hijacking.
Affected Products
- WordPress Photo Video Store plugin (photo-video-store) by cmsaccount
- All plugin versions from initial release through 21.07
- WordPress sites running the vulnerable plugin in any configuration
Discovery Timeline
- 2025-03-03 - CVE-2025-23478 published to NVD
- 2026-04-23 - CVE-2025-23478 last updated in NVD database
Technical Details for CVE-2025-23478
Vulnerability Analysis
The Photo Video Store plugin reflects user-controlled input back into HTTP responses without applying proper output encoding or input sanitization. When a victim clicks a crafted link containing JavaScript payloads in vulnerable request parameters, the plugin echoes that input into the rendered HTML. The browser then parses the reflected content and executes the attacker's script in the security context of the WordPress site.
Exploitation requires user interaction, which aligns with the reflected XSS attack pattern. The scope is changed, meaning the injected script can affect resources beyond the vulnerable component — typically the broader WordPress administrative session. Reflected XSS in WordPress plugins is commonly leveraged to perform actions on behalf of authenticated administrators, including creating rogue accounts or modifying site content.
EPSS data indicates a probability of 0.112% (29th percentile) as of May 15, 2026, suggesting opportunistic rather than widespread targeting at this time.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. The plugin's request handlers concatenate untrusted parameters directly into HTML output without invoking WordPress sanitization helpers such as esc_html(), esc_attr(), or wp_kses(). Without these escaping primitives, any string containing <script> tags or HTML event handlers is rendered as executable markup.
Attack Vector
The attack vector is network-based and requires no privileges. An attacker delivers a crafted URL via phishing email, social media, forum post, or malicious advertisement. When a logged-in WordPress user — particularly an administrator — visits the link, the embedded payload executes against the WordPress origin. The attacker can then exfiltrate authentication cookies, submit forms using the victim's session, or pivot to stored XSS by abusing administrative functionality.
No verified public exploit code is currently available. Technical details are documented in the Patchstack Vulnerability Report.
Detection Methods for CVE-2025-23478
Indicators of Compromise
- Web server access logs containing requests with URL-encoded <script>, javascript:, or onerror= patterns targeting photo-video-store plugin endpoints
- Unexpected outbound HTTP requests from administrator browser sessions to attacker-controlled domains
- Newly created WordPress administrator accounts or modified user roles without corresponding audit trail entries
- Referer headers pointing to external phishing infrastructure preceding suspicious administrative actions
Detection Strategies
- Inspect HTTP request parameters sent to plugin handlers under /wp-content/plugins/photo-video-store/ for HTML metacharacters and script tags
- Deploy a Web Application Firewall (WAF) ruleset that flags reflected payloads matching OWASP CRS XSS signatures
- Correlate WordPress audit logs with web access logs to identify administrative actions triggered shortly after a user clicked an external link
Monitoring Recommendations
- Enable verbose WordPress logging through plugins such as WP Activity Log to capture user, IP, and action context
- Forward web server and application logs to a centralized analytics platform for query-based hunting of XSS payload patterns
- Alert on Content Security Policy (CSP) violation reports indicating blocked inline script execution on plugin pages
How to Mitigate CVE-2025-23478
Immediate Actions Required
- Audit WordPress installations to identify any site running the Photo Video Store plugin at version 21.07 or earlier
- Deactivate and remove the plugin where it is not actively required for business operations
- Force-rotate administrator session cookies and reset passwords for accounts that may have clicked untrusted links
- Enable a restrictive Content Security Policy that disallows inline scripts on the WordPress admin surface
Patch Information
No fixed version is identified in the available advisory data. The vulnerability is described as affecting versions up to and including 21.07 with no listed patched release. Site operators should monitor the Patchstack advisory and the WordPress plugin repository for an official update.
Workarounds
- Remove the plugin entirely if no vendor patch is available, given the absence of a confirmed fixed version
- Place the WordPress site behind a WAF configured with reflected XSS protection rules
- Restrict access to the /wp-admin/ interface via IP allowlisting to reduce the population of users who can be targeted
- Train administrative users to avoid clicking unsolicited links to the WordPress site, particularly those containing URL-encoded payloads
# Configuration example - remove vulnerable plugin via WP-CLI
wp plugin deactivate photo-video-store
wp plugin delete photo-video-store
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
