CVE-2025-6068: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bradvin FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-6068: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bradvin FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Description
The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-13T14:00:13.538Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6870bdbba83201eaacacf6fc
Added to database: 7/11/2025, 7:31:07 AM
Last updated: 7/11/2025, 7:31:07 AM
Views: 1
Related Threats
CVE-2025-7442: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in dasinfomedia WPGYM - Wordpress Gym Management System
HighCVE-2025-6745: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in xTemos Woodmart
MediumCVE-2025-5530: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpclever WPC Smart Compare for WooCommerce
MediumCVE-2025-4593: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in avimegladon WP Register Profile With Shortcode
MediumCVE-2025-6716: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in contest-gallery Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI
MediumActions
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.