CVE-2025-11866 is a stored cross-site scripting vulnerability classified under CWE-79, found in the aurelienpierre Photographers galleries plugin for WordPress. This vulnerability affects all versions up to and including 1.1.8. The root cause is the plugin's failure to properly sanitize user inputs and escape outputs when processing multiple shortcode attributes such as `w`, `h`, `raw_css`, and `look`. These attributes are inserted directly into HTML attributes and inline CSS styles without adequate neutralization, allowing an authenticated attacker with contributor-level access or higher to inject arbitrary JavaScript code. Because the malicious script is stored persistently in the website’s content, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, unauthorized actions, or data theft. The CVSS 3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change. No public exploits have been reported yet, but the vulnerability poses a significant risk to sites that allow contributor-level users to add or edit content. The vulnerability highlights the importance of input validation and output encoding in web applications, especially in plugins that handle user-generated content.

For European organizations, this vulnerability can lead to unauthorized script execution within their WordPress sites, compromising user sessions, stealing sensitive information, or performing actions on behalf of legitimate users. Organizations in sectors relying heavily on WordPress for public-facing content, such as media, creative agencies, and e-commerce, may face reputational damage and data breaches. The requirement for contributor-level access limits the attack surface but does not eliminate risk, especially in environments with multiple content editors or less stringent access controls. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the initially targeted plugin, potentially impacting the broader site integrity. Given the widespread use of WordPress in Europe and the popularity of photography and portfolio plugins, the vulnerability could be exploited to target European users and customers, leading to privacy violations under GDPR if personal data is compromised. Additionally, the persistent nature of stored XSS increases the risk of long-term exploitation and automated attacks.

European organizations should immediately audit user roles and permissions within their WordPress installations, ensuring that only trusted users have contributor-level or higher access. Implement strict content review workflows to detect suspicious shortcode usage or unexpected script insertions. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads in shortcode attributes. Monitor logs for unusual editing activity or content changes involving the vulnerable attributes. Since no official patch is currently available, consider temporarily disabling or removing the Photographers galleries plugin if feasible. Educate content contributors about the risks of injecting untrusted code and enforce the use of safe content practices. Once a patch or update is released by the vendor, prioritize its deployment. Additionally, implement Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of potential XSS attacks. Regularly scan WordPress sites with security tools to detect stored XSS and other vulnerabilities.