CVE-2025-63052 is a stored Cross-site Scripting (XSS) vulnerability identified in the GalleryCreator SimpLy Gallery plugin, specifically affecting versions up to and including 3.2.8. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows an attacker to inject malicious JavaScript code that is stored persistently on the affected site. When other users or administrators view the compromised content, the malicious script executes in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. The vulnerability requires low privileges (PR:L) to exploit and user interaction (UI:R), such as a victim visiting a maliciously crafted page or content. The CVSS v3.1 base score is 6.5, indicating medium severity, with attack vector being network (AV:N), low attack complexity (AC:L), and scope changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. There are no known public exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability is significant because stored XSS can be more damaging than reflected XSS due to persistence and wider impact. The plugin is commonly used in WordPress environments to create galleries, and improper input sanitization in such plugins is a frequent attack vector. The vulnerability was reserved on 2025-10-24 and published on 2025-12-09 by Patchstack, indicating a recent discovery.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the GalleryCreator SimpLy Gallery plugin, especially those running WordPress CMS. Exploitation can lead to unauthorized script execution in users' browsers, potentially resulting in session hijacking, defacement, or data leakage. This can damage organizational reputation, lead to data breaches involving user credentials or personal data, and disrupt web services. Since the vulnerability requires low privileges and user interaction, attackers might exploit it via social engineering or by compromising low-level user accounts. The scope change in the CVSS vector indicates that the impact can extend beyond the immediate vulnerable component, potentially affecting other parts of the web application or connected systems. European organizations with customer-facing websites or intranet portals using this plugin are at risk of targeted attacks, especially in sectors like e-commerce, media, and public services where web presence is critical. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once patches are released or if the vulnerability becomes widely known.

1. Monitor for official patches or updates from GalleryCreator and apply them promptly once available. 2. Implement strict input validation and output encoding on all user-supplied data, especially in gallery-related inputs, to prevent script injection. 3. Restrict user privileges to the minimum necessary, limiting the ability of low-privilege users to inject content. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 5. Conduct regular security audits and penetration testing focusing on web application vulnerabilities, including stored XSS. 6. Educate users and administrators about the risks of clicking on untrusted links or content that could trigger malicious scripts. 7. Use web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting known vulnerable plugins. 8. Consider temporarily disabling or replacing the SimpLy Gallery plugin if immediate patching is not feasible, especially on high-risk or critical websites.