CVE-2025-23889: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in FooGallery Captions plugin versions through 1.0.2. The vulnerability was identified on January 16, 2025, and was assigned CVE-2025-23889. This security issue affects WordPress installations using the FooGallery Captions plugin (Patchstack Database).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79), specifically a Reflected Cross-Site Scripting (XSS) issue. It has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected pages (Patchstack Database).

While no official patch is available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Website administrators are advised to implement the virtual patch immediately until an official fix becomes available (Patchstack Database).

The vulnerability was initially reported by security researcher João Pedro Soares de Alcântara (Kinorth) on December 15, 2024. Following the disclosure, Patchstack issued an early warning to their customers on January 16, 2025, before publishing the full details on January 18, 2025 (Patchstack Database).