CVE-2025-23959 Overview
CVE-2025-23959 is a reflected cross-site scripting (XSS) vulnerability in the Linus Lundahl Good Old Gallery plugin for WordPress. The flaw affects all versions up to and including 2.1.2. The plugin fails to properly neutralize user-supplied input during web page generation, allowing attackers to inject malicious script content [CWE-79].
Exploitation requires a victim to click a crafted link. When triggered, attacker-controlled JavaScript executes in the victim's browser under the context of the vulnerable WordPress site.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in a victim's browser, enabling session theft, credential harvesting, and unauthorized actions against the affected WordPress site.
Affected Products
- Good Old Gallery WordPress plugin versions through 2.1.2
- WordPress installations with the good-old-gallery plugin enabled
- Sites exposing plugin endpoints that reflect unsanitized parameters
Discovery Timeline
- 2025-01-22 - CVE-2025-23959 published to the National Vulnerability Database
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-23959
Vulnerability Analysis
The vulnerability resides in the Good Old Gallery plugin's handling of HTTP request parameters. Input data flows into the rendered HTML response without proper encoding or sanitization. An attacker constructs a URL containing JavaScript payloads in vulnerable parameters. When a logged-in user or site visitor clicks the link, the payload reflects back into the page and executes in the browser.
The vulnerability affects confidentiality, integrity, and availability at a limited scope. Because the scope is changed, the injected script can affect resources beyond the vulnerable component, such as authenticated administrative sessions. According to the available EPSS data, the exploit probability is 0.232% in the 45.967th percentile.
Root Cause
The root cause is improper neutralization of input during web page generation. The plugin echoes request-derived values into HTML output without applying contextual output encoding such as esc_html(), esc_attr(), or wp_kses(). This omission permits HTML and JavaScript tokens within request parameters to be interpreted as markup by the browser.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker delivers a crafted URL through phishing, social media, comments, or other channels. The victim must click the link or visit an attacker-controlled page that triggers the request. The injected script then runs with the privileges of the victim's WordPress session.
The vulnerability is described in prose only. See the Patchstack Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-23959
Indicators of Compromise
- HTTP requests to Good Old Gallery plugin endpoints containing <script>, javascript:, or HTML event handler tokens such as onerror= or onload=
- Web server access logs showing URL-encoded payloads like %3Cscript%3E targeting plugin parameters
- Unexpected outbound requests from administrator browsers to unfamiliar domains shortly after clicking a crafted link
Detection Strategies
- Inspect web access logs for query strings containing script tags, encoded angle brackets, or JavaScript scheme handlers targeting the good-old-gallery plugin path
- Deploy a web application firewall rule set that flags reflected XSS patterns on WordPress request parameters
- Correlate referrer fields with suspicious external domains that may host phishing pages distributing crafted URLs
Monitoring Recommendations
- Enable WordPress audit logging to record administrator activity and identify session anomalies
- Monitor Content Security Policy (CSP) violation reports for unexpected inline script execution
- Track plugin version inventory across WordPress sites to identify hosts running Good Old Gallery 2.1.2 or earlier
How to Mitigate CVE-2025-23959
Immediate Actions Required
- Disable or remove the Good Old Gallery plugin until a patched version is available
- Audit administrator accounts for unauthorized changes, new users, or modified content
- Apply a Content Security Policy that restricts inline script execution on the WordPress site
Patch Information
At the time of the latest NVD update, the advisory lists affected versions through 2.1.2 without an explicitly identified fixed release. Refer to the Patchstack Vulnerability Report for the latest patch status and upgrade guidance.
Workarounds
- Deactivate the good-old-gallery plugin in the WordPress administrative console
- Deploy a WAF rule that blocks requests containing script tags or JavaScript scheme handlers in query parameters
- Educate administrators to avoid clicking unsolicited links referencing the WordPress site
- Enforce least privilege by limiting administrative session lifetime and requiring re-authentication for sensitive actions
# Configuration example: disable the plugin via WP-CLI
wp plugin deactivate good-old-gallery
wp plugin delete good-old-gallery
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
