CVE-2025-2269: 
WordPress vulnerability analysis and mitigation

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'image_id' parameter in versions up to and including 1.8.34. This vulnerability was discovered and disclosed on April 11, 2025 (NVD, Wordfence).

The vulnerability exists due to insufficient input sanitization and output escaping of the 'image_id' parameter in the plugin. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (NVD).

This vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when administrative users perform certain actions, such as clicking on a malicious link. The successful exploitation could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected admin user's session (NVD).

Users should update to a version newer than 1.8.34 when available. Until then, administrators should exercise caution when clicking on links, especially those related to the Photo Gallery plugin's image management functions (NVD).