CVE-2025-6068 is a stored Cross-Site Scripting (XSS) vulnerability identified in the FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress, developed by bradvin. This vulnerability affects all versions up to and including 2.4.31. The root cause is insufficient input sanitization and output escaping of user-supplied data in the `data-caption-title` and `data-caption-description` HTML attributes. Specifically, authenticated users with Contributor-level access or higher can inject arbitrary JavaScript code into these attributes, which is then stored and rendered in pages viewed by other users. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or unauthorized actions performed in the context of the victim’s browser session. The vulnerability does not require user interaction beyond visiting the affected page, and it does not require elevated privileges beyond Contributor access, which is a relatively low privilege level in WordPress. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered for immediate remediation. The lack of official patches at the time of disclosure increases the urgency for mitigation. This vulnerability is categorized under CWE-79, which is a common and well-understood class of web application security issues related to improper neutralization of input during web page generation.

The exploitation of CVE-2025-6068 can have significant impacts on organizations using the FooGallery plugin on WordPress sites, especially those with multiple contributors or editors. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of users, or defacement of web content. This compromises the confidentiality and integrity of user data and site content. While availability is not directly impacted, the reputational damage and potential data breaches can have severe business consequences. Since WordPress powers a large portion of websites globally, including many corporate, governmental, and e-commerce sites, the scope of affected systems is broad. The medium CVSS score reflects that exploitation is feasible without complex conditions but requires authenticated access, limiting the attacker base to insiders or compromised accounts. However, in environments with many contributors or weak access controls, the risk is elevated. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers may develop exploits rapidly after disclosure. Organizations failing to address this vulnerability may face targeted attacks aiming to leverage stored XSS for persistent compromise or lateral movement within web environments.

Organizations should immediately audit their WordPress installations to identify the presence of the FooGallery plugin and verify the version in use. Since no official patch is currently available, administrators should consider temporary mitigations such as restricting Contributor-level access to trusted users only and implementing strict input validation and output encoding on the affected attributes if possible via custom code or security plugins. Web Application Firewalls (WAFs) can be configured to detect and block suspicious payloads targeting the `data-caption-title` and `data-caption-description` parameters. Monitoring logs for unusual contributor activity or unexpected script injections can help detect exploitation attempts. Additionally, site administrators should educate contributors about safe content practices and enforce strong authentication mechanisms to reduce the risk of account compromise. Once an official patch is released, immediate application is critical. Regular backups and incident response plans should be in place to recover from potential exploitation. Finally, consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts, mitigating the impact of XSS attacks.