CVE-2025-1513: 
WordPress vulnerability analysis and mitigation

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-1513) discovered in February 2025. The vulnerability affects all versions up to and including 26.0.0.1, allowing unauthenticated attackers to exploit insufficient input sanitization in the Name and Comment fields when commenting on photo gallery entries (NVD NIST, CVE Mitre).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 6.1 (MEDIUM) according to NIST and 7.2 (HIGH) according to Wordfence. The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD NIST).

When exploited, this vulnerability allows attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. This can lead to potential data theft, session hijacking, or other malicious actions performed in the context of the affected users' browsers (NVD NIST).

A patch has been released in version 26.0.1 of the plugin. Users are advised to update to this version or later to mitigate the vulnerability (WordPress Patch).