CVE-2025-29011 describes a stored cross-site scripting vulnerability in the CHR Designer YouTube Simple Gallery plugin (<= 2.2.0). The issue is caused by improper input neutralization during web page generation, which can allow an attacker with low privileges and requiring user interaction to execute scripts in the context of other users. The vulnerability affects confidentiality, integrity, and availability to a limited extent, reflected in the CVSS vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. No patch or remediation information is currently available.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of users visiting the affected web pages, potentially leading to information disclosure, session hijacking, or other impacts on confidentiality, integrity, and availability. The attack requires low privileges and user interaction, and the scope is changed, meaning the vulnerability can affect components beyond the vulnerable component itself. No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution with input handling and consider restricting user input or applying web application firewall rules to detect and block XSS payloads. Monitor vendor channels for updates regarding patches or official mitigations.