CVE-2025-7644 is a stored cross-site scripting (XSS) vulnerability identified in the Pixel Gallery Addons for Elementor WordPress plugin, which includes multiple gallery widgets such as Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, and Portfolio Gallery. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of URL inputs in all widget types. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript payloads into pages via crafted URLs. These malicious scripts are stored persistently and executed in the browsers of any users who visit the affected pages, potentially compromising session tokens, redirecting users, or performing unauthorized actions within the context of the victim’s browser session. The vulnerability affects all plugin versions up to 1.6.7. The CVSS v3.1 base score is 6.4, reflecting a network attack vector, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change due to impact on other components. No public exploits are currently known, but the vulnerability is significant due to the widespread use of Elementor and its addons in WordPress sites. The root cause is a failure to properly sanitize and encode user-supplied URL inputs before embedding them in page content, violating secure coding best practices for web applications. This flaw allows attackers to bypass normal input validation controls and inject executable scripts that run in the security context of the affected site.

The impact of CVE-2025-7644 can be substantial for organizations running WordPress sites with the affected Pixel Gallery Addons. Successful exploitation enables attackers with contributor-level access to inject persistent malicious scripts that execute in the browsers of site visitors, including administrators and other users. This can lead to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, defacement, or distribution of malware. The vulnerability undermines the confidentiality and integrity of site content and user data. Although availability is not directly impacted, the reputational damage and potential data breaches can have severe operational and financial consequences. Organizations with multi-user WordPress environments, especially those allowing contributors or editors to add content, are at higher risk. The vulnerability also increases the attack surface for further exploitation, such as pivoting to escalate privileges or compromise backend systems. Given the popularity of Elementor and its addons, a large number of websites globally could be affected, including corporate, e-commerce, and media sites.

To mitigate CVE-2025-7644, organizations should immediately audit their WordPress installations for the presence of the Pixel Gallery Addons plugin and verify the version. If an updated patched version is released by the vendor, promptly apply the update to remediate the vulnerability. Until a patch is available, restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of malicious script injection. Implement web application firewall (WAF) rules to detect and block suspicious script payloads in URL parameters associated with the affected widgets. Employ strict input validation and output encoding on all user-supplied data, particularly URLs, within the plugin’s codebase if custom modifications are possible. Regularly monitor website logs and user activity for signs of exploitation attempts or anomalous behavior. Educate content contributors about safe content practices and the risks of injecting untrusted code. Consider isolating or disabling vulnerable widgets if they are not essential to site functionality. Finally, maintain a robust backup and incident response plan to quickly recover from any successful attacks.