CVE-2025-60104 is a medium-severity vulnerability classified under CWE-79, which pertains to Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects the Jordy Meow Gallery Custom Links plugin, versions up to and including 2.2.5. The flaw allows an attacker to inject malicious scripts that are stored persistently within the application, leading to Stored XSS. Stored XSS occurs when malicious input is saved by the application and later rendered in web pages without proper sanitization or encoding, enabling the execution of arbitrary JavaScript in the context of users’ browsers. The CVSS 3.1 base score of 5.9 reflects a medium severity, with the vector indicating that the attack can be performed remotely (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component, and the impact is low on confidentiality, integrity, and availability (C:L/I:L/A:L). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability arises from insufficient input validation or output encoding during web page generation, allowing malicious payloads to be stored and executed when other users view the affected content. This can lead to session hijacking, defacement, or redirection to malicious sites, undermining user trust and potentially enabling further attacks.

For European organizations using the Jordy Meow Gallery Custom Links plugin, this vulnerability poses a risk primarily to web applications that rely on this plugin for managing gallery links. Exploitation could lead to unauthorized script execution in users’ browsers, potentially resulting in session theft, credential compromise, or unauthorized actions performed on behalf of users. This can damage the reputation of organizations, lead to data breaches, and violate data protection regulations such as GDPR if personal data is exposed or manipulated. Given the requirement for high privileges to exploit and user interaction, the risk is somewhat mitigated but still significant for administrative users or trusted roles. Organizations in sectors with high web presence, such as media, e-commerce, and cultural institutions, may face increased risk. Additionally, the cross-site scripting vulnerability could be leveraged as a stepping stone for more complex attacks, including phishing or malware distribution campaigns targeting European users.

1. Immediate mitigation should include disabling or restricting access to the Gallery Custom Links plugin until a patch is available. 2. Implement strict input validation and output encoding on all user-supplied data within the plugin, especially for fields that generate web page content. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Conduct thorough code review and security testing of the plugin to identify and remediate all instances of improper input handling. 5. Educate administrators and users about the risks of clicking on untrusted links or interacting with suspicious content within the gallery. 6. Monitor web application logs for unusual activities or injection attempts related to the plugin. 7. Once a patch is released by Jordy Meow, prioritize prompt application of updates. 8. Consider implementing web application firewalls (WAF) with rules to detect and block XSS payloads targeting this plugin.