CVE-2025-11866 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the aurelienpierre Photographers galleries plugin for WordPress. This vulnerability affects all versions up to and including 1.1.8. The root cause is the plugin's failure to properly sanitize user input and escape output when handling multiple shortcode attributes such as `w`, `h`, `raw_css`, and `look`. These attributes are inserted directly into HTML attributes and inline CSS styles without adequate neutralization, enabling an authenticated attacker with contributor-level access or higher to inject arbitrary JavaScript code. Because the injected scripts are stored in the website's content, they execute whenever any user accesses the affected pages, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability requires no user interaction beyond visiting the infected page and does not require elevated privileges beyond contributor access, which is commonly granted to trusted users on WordPress sites. The CVSS 3.1 base score is 6.4, reflecting medium severity, with attack vector network, low attack complexity, privileges required at the contributor level, no user interaction, and a scope change affecting confidentiality and integrity. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin, especially those with multiple contributors or less stringent access controls. The lack of available patches at the time of disclosure necessitates immediate mitigation efforts by site administrators.

The impact of CVE-2025-11866 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim's browser, which can lead to session hijacking, theft of authentication tokens, defacement, or redirection to malicious sites. Since the vulnerability is stored XSS, the malicious payload persists and affects all visitors to the compromised pages, amplifying the potential damage. Organizations relying on the Photographers galleries plugin risk reputational damage, data breaches involving user credentials or personal information, and potential compliance violations if user data is exposed. The requirement for contributor-level access lowers the barrier for exploitation compared to vulnerabilities needing administrator privileges, increasing the likelihood of insider threats or compromised contributor accounts being leveraged. Although no known exploits are currently in the wild, the widespread use of WordPress and the plugin in creative and portfolio websites globally means the threat could rapidly escalate if weaponized. The vulnerability does not affect availability but can indirectly cause service disruptions through site defacement or administrative lockout if attackers escalate privileges.

To mitigate CVE-2025-11866, site administrators should immediately restrict contributor-level access to trusted users only and monitor contributor activity for suspicious behavior. Until an official patch is released, applying a Web Application Firewall (WAF) with custom rules to detect and block malicious shortcode attribute payloads can reduce risk. Administrators should audit all existing content created via the Photographers galleries plugin for injected scripts and remove any suspicious code. Implementing strict input validation and output encoding on shortcode attributes is critical; site owners or developers can apply temporary filters or sanitization hooks in WordPress to neutralize potentially dangerous input. Regularly updating WordPress core and plugins is essential once a patch becomes available. Additionally, educating contributors about safe content creation practices and the risks of injecting untrusted code can help prevent exploitation. Monitoring security advisories from the plugin vendor and WordPress security teams will ensure timely application of fixes. Finally, consider disabling or replacing the Photographers galleries plugin with a more secure alternative if immediate patching is not feasible.