CVE-2025-27291 Overview
CVE-2025-27291 is a reflected Cross-Site Scripting (XSS) vulnerability in the uxgallery WordPress Photo Gallery – Image Gallery plugin (photo-image-gallery). The flaw stems from improper neutralization of user-supplied input during web page generation [CWE-79]. All plugin versions up to and including 2.0.4 are affected.
Attackers can craft a malicious URL that, when clicked by an authenticated WordPress user, executes arbitrary JavaScript in the victim's browser session. The scope-changed CVSS vector indicates the injected payload can affect resources beyond the vulnerable component.
Critical Impact
Successful exploitation enables session hijacking, credential theft, and administrative action abuse against WordPress sites running the affected plugin.
Affected Products
- uxgallery WordPress Photo Gallery – Image Gallery plugin (photo-image-gallery) versions through 2.0.4
- WordPress sites with the plugin installed and active
- Administrator and editor accounts targeted via crafted links
Discovery Timeline
- 2025-04-17 - CVE-2025-27291 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-27291
Vulnerability Analysis
The plugin fails to sanitize and encode user-controlled input before reflecting it into HTML responses. An attacker injects JavaScript through a crafted request parameter, and the application returns that payload inside the rendered page without proper output encoding.
Because the CVSS scope is changed, JavaScript executed in the WordPress admin context can access cookies, the WordPress REST API, and nonces tied to the authenticated session. This permits actions that exceed the vulnerable component's privilege boundary.
Exploitation requires user interaction. A victim must click a malicious link or visit an attacker-controlled page containing the crafted request. No authentication is required from the attacker to deliver the payload.
Root Cause
The root cause is missing input validation and missing output encoding in request handlers that echo parameters into HTML. Input arriving from query strings or form fields is concatenated into responses without HTML entity encoding or context-aware escaping such as esc_html(), esc_attr(), or wp_kses().
Attack Vector
The attack vector is network-based and relies on social engineering. An attacker distributes a URL containing a malicious payload, typically through phishing email, forum posts, or compromised third-party sites. When a logged-in WordPress user follows the link, the reflected payload runs in their browser under the site origin.
Because the payload runs in the WordPress admin origin, it can issue authenticated AJAX or REST requests, create new administrative users, install plugins, or exfiltrate session tokens. See the Patchstack Vulnerability Report for technical details.
Detection Methods for CVE-2025-27291
Indicators of Compromise
- Web server access logs containing request parameters with <script>, javascript:, onerror=, or URL-encoded equivalents directed at photo-image-gallery endpoints
- Unexpected administrative user creation, plugin installation, or option changes following user clicks on external links
- Outbound browser requests to unfamiliar domains originating from authenticated WordPress admin sessions
Detection Strategies
- Inspect HTTP request logs for reflected payload patterns hitting plugin URLs and parameters belonging to photo-image-gallery
- Deploy a Web Application Firewall (WAF) rule that flags XSS signatures targeting WordPress plugin paths
- Monitor WordPress audit logs for privileged actions performed shortly after admin users follow external referrers
Monitoring Recommendations
- Enable WordPress activity logging plugins to record administrative changes and session events
- Forward web server, WAF, and WordPress logs to a centralized SIEM such as Singularity Data Lake for correlation
- Alert on Content Security Policy (CSP) violation reports referencing inline script execution on admin pages
How to Mitigate CVE-2025-27291
Immediate Actions Required
- Identify all WordPress sites running the photo-image-gallery plugin and confirm the installed version
- Deactivate the plugin on any site running version 2.0.4 or earlier until a patched release is applied
- Force password rotation and review administrator accounts for unauthorized additions
Patch Information
No fixed version is identified in the available NVD data. Site operators should consult the Patchstack Vulnerability Report and the plugin vendor for an updated release beyond 2.0.4.
Workarounds
- Deactivate and remove the photo-image-gallery plugin until a fixed version is published
- Apply WAF rules that block reflected XSS payloads in query strings reaching the plugin's endpoints
- Enforce a strict Content Security Policy on WordPress admin pages to limit inline script execution
- Train administrators to avoid clicking unsolicited links to their own WordPress site
# Example WAF rule (ModSecurity) blocking reflected XSS toward the plugin
SecRule REQUEST_URI "@contains /wp-content/plugins/photo-image-gallery/" \
"id:1002701,phase:2,deny,status:403,\
chain,msg:'CVE-2025-27291 reflected XSS attempt'"
SecRule ARGS "@rx (?i)(<script|onerror=|javascript:|onload=)" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
