CVE-2025-23478: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress Photo Video Store plugin versions up to 21.07. The vulnerability was identified and reported by João Pedro Soares de Alcântara, with public disclosure occurring on January 16, 2025 (Wordfence, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation, leading to Cross-site Scripting (XSS). It received a CVSS score of 6.1 (Medium) according to Wordfence, while Patchstack assessed it at 7.1 (Medium). The vulnerability allows unauthenticated attackers to inject malicious scripts into web pages (Patchstack).

If exploited, this vulnerability could enable malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads into the affected website. These injected scripts would execute when visitors access the compromised site (Patchstack).

As of March 2025, no official fix has been released for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available (Patchstack).