CVE-2025-31586: 
WordPress vulnerability analysis and mitigation

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhozyLab Gallery – Photo Albums Plugin allows Stored XSS. This issue affects Gallery – Photo Albums Plugin versions through 1.3.170. The vulnerability was discovered and disclosed on March 31, 2025 (NVD, Patchstack).

The vulnerability is classified as a Cross-site Scripting (XSS) issue, specifically of the stored variety, identified as CWE-79. It has received a CVSS v3.1 base score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability requires low attack complexity, requires low privileges, and needs user interaction to exploit (NVD).

The vulnerability can lead to compromised confidentiality, integrity, and availability, each rated as Low according to the CVSS scoring. As a stored XSS vulnerability, it allows attackers to inject malicious scripts that are permanently stored on the target servers and executed when other users access the affected pages (Patchstack).

Users should update the Gallery – Photo Albums Plugin to a version newer than 1.3.170 if available. If an update is not available, it is recommended to disable the plugin until a patch is released (Patchstack).