CVE-2025-13612 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Album and Image Gallery Plus Lightbox plugin for WordPress. The vulnerability arises from improper neutralization of user-supplied input in the plugin's `aigpl-gallery-album` shortcode, where attributes are not sufficiently sanitized or escaped before being rendered on web pages. This flaw allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages that utilize this shortcode. Because the injected scripts are stored persistently, they execute every time any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users without their consent. The vulnerability affects all versions up to and including 2.1.7 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change. The impact includes partial confidentiality and integrity loss but no availability impact. No public exploits are currently known, but the vulnerability's presence in a widely used WordPress plugin makes it a significant risk, especially for websites allowing contributor-level user input. The vulnerability was published on February 19, 2026, and has been assigned by Wordfence. No official patches or updates are linked yet, so mitigation relies on access control and input validation.

For European organizations, this vulnerability poses a moderate risk primarily to websites running WordPress with the vulnerable Album and Image Gallery Plus Lightbox plugin installed. The ability for contributor-level users to inject persistent scripts can lead to session hijacking, unauthorized actions, or data theft from site visitors and administrators. This can damage organizational reputation, lead to data breaches, and potentially facilitate further attacks such as privilege escalation or malware distribution. Given the widespread use of WordPress across Europe, especially in sectors like media, education, and small-to-medium enterprises, the impact could be significant if exploited. The vulnerability does not directly affect availability but compromises confidentiality and integrity, which are critical for compliance with regulations such as GDPR. Organizations relying on user-generated content or collaborative publishing are at higher risk. The absence of known exploits reduces immediate threat but should not lead to complacency.

1. Immediately restrict contributor-level user permissions to trusted individuals only, minimizing the risk of malicious input. 2. Disable or remove the Album and Image Gallery Plus Lightbox plugin if not essential, or replace it with a secure alternative. 3. Implement strict input validation and output escaping on all user-supplied data, especially in shortcodes and plugin attributes. 4. Monitor website logs and user activity for unusual behavior or injection attempts. 5. Apply web application firewall (WAF) rules to detect and block XSS payloads targeting the vulnerable shortcode. 6. Keep WordPress core, themes, and plugins updated; watch for official patches from the plugin vendor and apply them promptly once available. 7. Educate content contributors about safe content practices and the risks of injecting scripts. 8. Conduct regular security audits and penetration testing focusing on user input handling in plugins. 9. Consider implementing Content Security Policy (CSP) headers to limit the impact of potential XSS exploitation.