CVE-2025-27004: Famous Grid Gallery WordPress XSS Flaw

CVE-2025-27004 Overview

CVE-2025-27004 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting the Famous - Responsive Image And Video Grid Gallery WordPress Plugin developed by LambertGroup. This vulnerability allows attackers to inject malicious scripts through improperly sanitized input, which is then reflected back to users in the web page output.

Critical Impact

Attackers can execute arbitrary JavaScript in the context of victim user sessions, potentially stealing session cookies, credentials, or performing unauthorized actions on behalf of authenticated WordPress users.

Affected Products

• Famous - Responsive Image And Video Grid Gallery WordPress Plugin version 1.4 and earlier
• WordPress installations using the famous_grid_image_and_video_gallery plugin

Discovery Timeline

• 2026-01-08 - CVE-2025-27004 published to NVD
• 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-27004

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The Famous WordPress plugin fails to properly sanitize user-supplied input before including it in dynamically generated web page content. When a victim clicks on a specially crafted malicious link, the injected script executes within their browser session with the same privileges as the legitimate web application.

Reflected XSS attacks require social engineering to trick users into clicking malicious URLs. However, successful exploitation can lead to session hijacking, defacement of website content visible to the user, credential theft, or redirection to malicious websites. The vulnerability requires user interaction but can be exploited by unauthenticated attackers over the network.

Root Cause

The root cause stems from insufficient input validation and output encoding within the Famous plugin. User-controlled data is incorporated into HTML responses without proper sanitization or contextual escaping. WordPress provides built-in functions such as esc_html(), esc_attr(), and wp_kses() for output escaping, but these are not being properly utilized in the vulnerable code paths of versions 1.4 and earlier.

Attack Vector

The attack vector is network-based, requiring an attacker to craft a malicious URL containing JavaScript payload and convince a victim to click on it. The attack can be delivered through phishing emails, social media messages, forum posts, or any medium where attackers can distribute links. When the victim's browser processes the response from the vulnerable WordPress site, the malicious script executes in the context of that site's origin.

The attacker does not require any privileges or authentication to craft and distribute the malicious link. The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component itself—specifically the victim's browser and their authenticated session with the WordPress site.

Detection Methods for CVE-2025-27004

Indicators of Compromise

• Review web server access logs for suspicious URL parameters containing JavaScript syntax such as <script>, javascript:, onerror=, or encoded variants
• Monitor for unusual outbound connections from client browsers that may indicate data exfiltration
• Check for reports of unexpected pop-ups or behavior from users visiting your WordPress site

Detection Strategies

• Implement Web Application Firewall (WAF) rules to detect and block common XSS patterns in request parameters
• Deploy Content Security Policy (CSP) headers to restrict script execution sources and provide violation reports
• Use browser-based XSS auditors and security extensions for additional client-side protection
• Conduct regular security scans using WordPress security plugins that check for known vulnerable plugin versions

Monitoring Recommendations

• Enable detailed access logging on WordPress installations and review logs for suspicious query strings
• Configure real-time alerting for requests containing potentially malicious script patterns
• Monitor the Patchstack vulnerability database for updates on this vulnerability
• Track plugin update notifications from the WordPress dashboard

How to Mitigate CVE-2025-27004

Immediate Actions Required

• Update the Famous - Responsive Image And Video Grid Gallery WordPress Plugin to a version newer than 1.4 when a patched version becomes available
• Consider temporarily deactivating the plugin if it is not critical to site functionality until a patch is released
• Implement Content Security Policy headers to reduce the impact of any successful XSS exploitation
• Review and audit other installed WordPress plugins for similar vulnerabilities

Patch Information

Monitor the official WordPress plugin repository and the Patchstack security advisory for information regarding patched versions. WordPress site administrators should enable automatic plugin updates where possible to ensure timely application of security fixes.

Workarounds

• Implement a Web Application Firewall (WAF) with rules to filter XSS payloads in URL parameters
• Add Content Security Policy headers to restrict inline script execution
• Consider using WordPress security plugins like Wordfence or Sucuri that provide virtual patching capabilities
• Limit access to the WordPress admin area to trusted IP addresses to reduce the impact of session hijacking

# Example Content Security Policy header configuration for Apache
# Add to .htaccess file in WordPress root directory
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';"