Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Photonic Gallery & Lightbox for Flickr, SmugMug & Others plugin for WordPress. Tracked as CVE-2025-12691, this flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses a page containing the injected content.
This vulnerability affects all versions of the Photonic Gallery plugin up to and including version 3.21.
Technical Details
The vulnerability stems from insufficient input sanitization and output escaping of the user-supplied caption attribute within the plugin’s lightbox functionality. Specifically, when users create or edit image galleries, they can provide captions for individual images. The plugin fails to adequately sanitize these captions before storing them in the database and fails to escape them properly when rendering them on the front-end. This allows an attacker to inject malicious JavaScript code within the caption field. When a user views a page containing the affected gallery and triggers the lightbox, the injected script executes in their browser context.
Example of a malicious payload that could be used in the caption:
<img src=x onerror=alert('XSS Vulnerability')>CVSS Analysis
- CVE ID: CVE-2025-12691
- Severity: MEDIUM
- CVSS Score: 6.4
- Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
This CVSS score indicates that the vulnerability requires user interaction (UI:R) and a low privilege level (PR:L) to exploit. The attack vector is network-based (AV:N), meaning an attacker can exploit the vulnerability remotely. The impact is moderate, with potential for limited confidentiality (C:L) and integrity (I:L) compromise, but no impact on availability (A:N).
Possible Impact
Successful exploitation of this vulnerability could allow an attacker to:
- Redirect users to malicious websites.
- Steal user cookies and session tokens.
- Deface website content.
- Perform actions on behalf of the user, such as changing their password or posting malicious content.
Because the attacker needs contributor-level access or higher, the impact may be targeted toward administrators or other privileged users.
Mitigation or Patch Steps
The recommended mitigation is to update the Photonic Gallery plugin to the latest version. The vulnerability has been patched in versions released after 3.21.
To update, log in to your WordPress admin dashboard and navigate to the “Plugins” section. Locate the Photonic Gallery plugin and click “Update Now”. If you do not see an update available, you may need to clear your WordPress cache or manually update the plugin by downloading the latest version from the WordPress plugin repository and replacing the existing files.
As a temporary workaround, users can also sanitize the captions using HTML escaping before saving them, though this is not a foolproof solution and updating the plugin is highly recommended.
