CVE-2025-60104 is a medium severity vulnerability classified as CWE-79, indicating an Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects the Jordy Meow Gallery Custom Links plugin, specifically versions up to 2.2.5. The flaw allows an attacker to inject malicious scripts that are stored and later executed in the context of a victim's browser when they view the affected web pages. The vulnerability arises because the plugin does not properly sanitize or encode user-supplied input before embedding it into web pages, enabling stored XSS attacks. According to the CVSS v3.1 vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L), exploitation requires network access, low attack complexity, high privileges, and user interaction, with a scope change indicating that the vulnerability can affect resources beyond the initially vulnerable component. The impact includes limited confidentiality, integrity, and availability loss, as the attacker can execute arbitrary scripts in the context of authenticated users, potentially leading to session hijacking, defacement, or further exploitation. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on September 26, 2025, and assigned by Patchstack.

For European organizations using the Jordy Meow Gallery Custom Links plugin, this vulnerability poses a risk primarily to web applications that rely on this plugin for managing gallery links. Successful exploitation could allow attackers to execute malicious scripts in the browsers of authenticated users, leading to session hijacking, unauthorized actions, or data leakage. This can compromise user trust, lead to data breaches involving personal or sensitive information, and potentially disrupt service availability through script-based attacks. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, could face regulatory penalties if exploited. Additionally, the scope change in the CVSS vector suggests that the impact could extend beyond the plugin itself, potentially affecting other integrated systems or services. Although exploitation requires high privileges and user interaction, the risk remains significant for internal users or administrators who have elevated access and interact with the vulnerable component.

1. Immediate mitigation should include auditing and restricting access to the Gallery Custom Links plugin to minimize exposure, especially limiting high-privilege user roles that can input data into the plugin. 2. Implement strict input validation and output encoding on all user-supplied data within the plugin to neutralize malicious scripts. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Monitor web application logs for unusual input patterns or script injection attempts targeting the plugin. 5. Since no official patch is currently available, consider disabling or removing the plugin until a fix is released. 6. Educate users with high privileges about the risks of interacting with untrusted content and the importance of cautious behavior to prevent social engineering exploitation. 7. Regularly check for updates from the vendor or security advisories to apply patches promptly once available.