CVE-2025-2540 – This stored XSS vulnerability in WordPress plug... (How to Fix)

Q: What is the severity of CVE-2025-2540?

CVE-2025-2540 has a CVSS score of 6.4 (MEDIUM). This stored XSS vulnerability in WordPress plugins allows authenticated attackers with contributor-level access or higher to inject malicious scripts into web pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. Multiple WordPress plugins using the vulnerable prettyPhoto library version 3.1.6 are affected.

📋 TL;DR

This stored XSS vulnerability in WordPress plugins allows authenticated attackers with contributor-level access or higher to inject malicious scripts into web pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. Multiple WordPress plugins using the vulnerable prettyPhoto library version 3.1.6 are affected.

💻 Affected Systems

Products:

WordPress plugins: awesome-gallery, awesome-wp-image-gallery, easy-image-gallery, woo-3d-viewer, wp-video-lightbox

Versions: Versions containing prettyPhoto library version 3.1.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated attacker with at least contributor-level WordPress access. Affects all WordPress installations using vulnerable plugin versions.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.

🟠

Likely Case

Attackers with contributor access inject malicious scripts to steal user session cookies or credentials from visitors.

🟢

If Mitigated

With proper input validation and output escaping, scripts are neutralized and rendered harmless as text.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires contributor-level WordPress access. XSS payloads can be injected through user-supplied attributes in the prettyPhoto library.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check each plugin's latest version for updates

Vendor Advisory: https://wordpress.org/plugins/

Restart Required: No

Instructions:

1. Update all affected WordPress plugins to latest versions. 2. Verify prettyPhoto library is updated beyond version 3.1.6. 3. Test gallery/lightbox functionality after update.

🔧 Temporary Workarounds

Disable vulnerable plugins

all

Temporarily disable affected plugins until patches are available

wp plugin deactivate plugin-name

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";

🧯 If You Can't Patch

Restrict contributor-level access to trusted users only
Implement web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress plugin directories for jquery.prettyPhoto.js files and examine version headers for 3.1.6

Check Version:

grep -r 'prettyPhoto' /path/to/wordpress/wp-content/plugins/ | grep -i version

Verify Fix Applied:

Verify jquery.prettyPhoto.js files show updated version >3.1.6 and test XSS payloads are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to plugin endpoints with script tags
Multiple failed authentication attempts followed by successful contributor login

Network Indicators:

Outbound connections to suspicious domains after visiting gallery pages
Unexpected script loads from user-generated content

SIEM Query:

source="wordpress.log" AND ("prettyPhoto" OR "gallery") AND ("script" OR "onerror" OR "javascript:")

📊 Metadata

CVE ID: CVE-2025-2540

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (18.2th percentile)

Published: July 3, 2025

Last Updated: July 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2540, you might also want to check these: