CVE-2025-14453 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the My Album Gallery plugin for WordPress, developed by ruhul080. The vulnerability exists in all versions up to and including 1.0.4 due to insufficient sanitization and escaping of the 'style_css' shortcode attribute. This flaw allows authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected site. The vulnerability is remotely exploitable over the network without user interaction but requires authentication with at least Contributor rights. The CVSS v3.1 base score is 6.4, reflecting medium severity, with attack vector as network, low attack complexity, privileges required, no user interaction, and scope changed due to impact beyond the vulnerable component. No public exploits or patches have been reported at the time of publication. The vulnerability highlights the risks of improper input handling in WordPress plugins, especially those that allow user-generated content or shortcode attributes to influence page rendering.

The primary impact of this vulnerability is on the confidentiality and integrity of affected WordPress sites using the My Album Gallery plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially stealing session cookies, defacing content, or performing unauthorized actions on behalf of users. This can lead to account compromise, data leakage, and erosion of user trust. Although availability is not directly affected, successful exploitation could facilitate further attacks that degrade service. Organizations relying on this plugin for content management or photo galleries face risks of reputational damage and compliance issues if user data is exposed. Since exploitation requires authenticated access, the threat is somewhat limited to insiders or compromised accounts but remains significant in multi-user environments or sites with many contributors. The lack of known public exploits reduces immediate risk but does not eliminate it, as attackers may develop exploits once details become widely known.

To mitigate this vulnerability, organizations should immediately restrict Contributor-level permissions to trusted users only and audit existing user roles for unnecessary privileges. Implement strict input validation and output encoding for all shortcode attributes, especially 'style_css', to neutralize malicious scripts. Site administrators should monitor logs and user activity for suspicious behavior indicative of XSS attempts. Applying updates or patches from the plugin developer as soon as they become available is critical. In the absence of official patches, consider disabling the My Album Gallery plugin or replacing it with a secure alternative. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads in shortcode parameters. Additionally, educate content contributors about safe content practices and the risks of injecting untrusted code. Regular security assessments and penetration testing focusing on plugin vulnerabilities can help detect similar issues proactively.