FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel < 2.4.32 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting | CVE 2025-6068 | Plugin Vulnerabilities

Description

The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 2.4.32

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a6be4aaa-f8a1-42d6-95c1-062c5ca51004

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Webbernaut

Verified

No

WPVDB ID

6afaeedf-1ff4-4888-a46c-cba6c00a62ce

Timeline

Publicly Published

2025-07-10 (about 10 months ago)

Added

2025-07-10 (about 10 months ago)

Last Updated

2025-07-11 (about 10 months ago)

Other

Published

Title

Published

2021-11-15

Title

Shiny Buttons <= 1.1.0 - Unauthenticated Stored Cross-Site Scripting

Published

2019-09-05

Title

WordPress 5.2.2 - Cross-Site Scripting (XSS) in Stored Comments

Published

2025-02-27

Title

Modal Portfolio <= 1.7.4.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-07-31

Title

MultiParcels Shipping For WooCommerce 1.15.2-1.15.3 - Reflected XSS

Published

2024-03-13

Title

Elementor Addons by Livemesh < 8.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Carousel Widget