CVE-2025-6716: 
WordPress vulnerability analysis and mitigation

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in versions up to and including 26.0.8. The vulnerability was discovered on July 11, 2025, and is tracked as CVE-2025-6716 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping in the 'upload[1][title]' parameter. This security flaw has been assigned a CVSS v3.1 Base Score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

The vulnerability allows authenticated attackers with Author-level access and above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially compromising user data and interactions (NVD).

Users should upgrade to version 26.0.9 or later of the plugin, which contains fixes for this vulnerability. The update was released through the WordPress plugin repository (WordPress Plugin).