CVE-2025-24707 is a reflected Cross-site Scripting (XSS) vulnerability identified in the gt3themes Photo Gallery plugin, a widely used WordPress plugin for managing photo and video galleries. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing attackers to inject malicious JavaScript code that is reflected back to users without proper sanitization. This flaw affects all versions of the plugin up to and including 2.7.7.24. An attacker can craft a specially designed URL containing malicious script code that, when clicked by a victim, executes in the victim's browser context. This can lead to theft of session cookies, user credentials, or execution of unauthorized actions on behalf of the user. The vulnerability does not require the attacker to be authenticated, increasing the risk of exploitation, although user interaction is necessary to trigger the attack. No official patches or updates are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved and published in early 2025 by Patchstack, a security vendor specializing in WordPress plugin vulnerabilities. The lack of a CVSS score necessitates an independent severity assessment based on the nature of the vulnerability and its potential impact.

The primary impact of this vulnerability is on the confidentiality and integrity of user data and sessions on websites using the vulnerable gt3themes Photo Gallery plugin. Successful exploitation can allow attackers to execute arbitrary JavaScript in the context of a victim's browser, leading to session hijacking, theft of sensitive information such as login credentials, and potential redirection to malicious websites. This can compromise user accounts and potentially allow attackers to escalate privileges or conduct further attacks within the affected web application. The availability impact is generally low but could be indirectly affected if attackers use the vulnerability to deface websites or inject disruptive scripts. Organizations running WordPress sites with this plugin, especially those with high traffic or sensitive user data, face increased risk of reputational damage, data breaches, and regulatory non-compliance. The ease of exploitation without authentication and the widespread use of WordPress globally increase the threat's potential reach and impact.

1. Monitor the gt3themes official channels and Patchstack advisories for the release of a security patch addressing CVE-2025-24707 and apply it promptly. 2. In the interim, restrict or disable the Photo Gallery plugin if feasible, especially on high-risk or sensitive sites. 3. Implement a Web Application Firewall (WAF) with rules specifically designed to detect and block reflected XSS payloads targeting the plugin's parameters. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 5. Conduct thorough input validation and output encoding on all user-supplied data within the web application, particularly for parameters handled by the Photo Gallery plugin. 6. Educate users and administrators about the risks of clicking on untrusted links and encourage the use of security-aware browsing practices. 7. Regularly audit and monitor web server logs for suspicious requests that may indicate attempted exploitation. 8. Consider deploying security plugins that provide additional XSS protection and scanning capabilities for WordPress environments.