The My Album Gallery plugin for WordPress suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-14796. This vulnerability is due to insufficient input sanitization and output escaping of the 'attachment->title' attribute, which is used to store image titles. Authenticated attackers with Author-level access or higher can inject arbitrary JavaScript code into image titles. Because the malicious script is stored persistently, it executes in the context of any user who views the affected page, including administrators or other privileged users. This can lead to theft of session cookies, defacement, or unauthorized actions performed on behalf of users. The vulnerability affects all versions up to and including 1.0.4 of the plugin. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation).

This vulnerability allows attackers with Author-level access to inject persistent malicious scripts into the WordPress site via image titles. The impact includes potential theft of user credentials or session tokens, unauthorized actions performed with the privileges of affected users, and possible site defacement or redirection to malicious sites. Since the injected scripts execute in the context of any user viewing the compromised page, including administrators, the confidentiality and integrity of the site and user data are at risk. Although availability is not directly impacted, the trustworthiness and security posture of the affected WordPress sites can be severely undermined. Organizations relying on this plugin may face reputational damage, data breaches, and increased risk of further exploitation if attackers leverage this vulnerability as a foothold.

To mitigate this vulnerability, organizations should immediately update the My Album Gallery plugin to a version that addresses this issue once available. In the absence of an official patch, administrators should implement strict input validation and output escaping on the 'attachment->title' attribute within the plugin code to neutralize malicious scripts. Restricting Author-level privileges to trusted users only can reduce risk. Employing Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting image titles can provide temporary protection. Regularly auditing user-generated content for suspicious scripts and monitoring logs for unusual activities is recommended. Additionally, educating users about the risks of elevated privileges and enforcing the principle of least privilege can limit exploitation potential.