CVE-2025-5686 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Paged Gallery plugin for WordPress, developed by andreyk. This vulnerability exists in all versions up to and including 0.7 of the plugin. The root cause is insufficient input sanitization and output escaping of user-supplied attributes within the plugin's 'gallery' shortcode. Specifically, authenticated users with contributor-level access or higher can inject arbitrary JavaScript code into pages using this shortcode. When other users access these pages, the malicious scripts execute in their browsers. The vulnerability is classified under CWE-80, which pertains to improper neutralization of script-related HTML tags. The CVSS v3.1 base score is 6.4 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change indicating that the vulnerability affects components beyond the initially vulnerable component. The impact includes limited confidentiality and integrity loss but no availability impact. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability allows an attacker to perform actions such as session hijacking, defacement, or redirecting users to malicious sites by injecting scripts that run in the context of the vulnerable WordPress site.

For European organizations using WordPress sites with the Paged Gallery plugin, this vulnerability poses a significant risk, especially for websites that allow contributor-level users to add or edit content. The stored XSS can lead to compromise of user sessions, theft of sensitive information, or unauthorized actions performed on behalf of users with elevated privileges. This can damage the organization's reputation, lead to data breaches, and potentially violate GDPR requirements concerning data protection and breach notification. Since WordPress is widely used across Europe for corporate, governmental, and e-commerce websites, exploitation could affect a broad range of sectors. The scope change in the CVSS vector indicates that the vulnerability could impact components beyond the plugin itself, potentially affecting other parts of the website or integrated systems. Although no active exploits are known, the ease of exploitation by authenticated users and the persistent nature of stored XSS make this a credible threat that could be weaponized in targeted attacks or insider threat scenarios.

European organizations should immediately audit their WordPress installations to identify if the Paged Gallery plugin (version 0.7 or earlier) is in use. Until an official patch is released, organizations should consider the following specific mitigations: 1) Restrict contributor-level access strictly to trusted users and review existing contributor accounts for suspicious activity. 2) Implement Web Application Firewall (WAF) rules that detect and block malicious script payloads in the 'gallery' shortcode parameters. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Sanitize and validate all user inputs at the application level, possibly by customizing the plugin code to enforce stricter input validation and output escaping. 5) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 6) Plan for an immediate update or removal of the vulnerable plugin once a patch becomes available. 7) Educate content contributors about the risks of injecting untrusted code and enforce secure content creation policies.