Cyber Resilience

CVE-2025-14835

High

Published: 07 January 2026

Published
07 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0014 33.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14835 is a high-severity Basic XSS (CWE-80) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-2025-14835 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-80, in the WP Photo Album Plus plugin for WordPress. It affects all versions up to and including 9.1.05.008 due to insufficient input sanitization and output escaping of the 'shortcode' parameter. The vulnerability has a CVSS v3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity with network accessibility and changed scope.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity by tricking users into performing actions such as clicking a malicious link. This enables injection of arbitrary web scripts into pages, which execute in the victim's browser context upon successful social engineering.

References point to specific code locations in vulnerable files such as wppa-ajax.php (lines 43 and 1130), wppa-filter.php (line 125), and wppa-functions.php (line 5617) from tag 9.1.05.004. A changeset in the plugin's trunk repository, spanning changes 3426267 to 3427638, indicates developer-applied fixes. Mitigation requires updating the WP Photo Album Plus plugin to a version beyond 9.1.05.008.

EU & UK References

Vulnerability details

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated…

more

attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Reflected XSS via malicious link directly enables user execution of injected JavaScript in browser context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-22501Shared CWE-80
CVE-2026-6002Shared CWE-80
CVE-2024-46910Shared CWE-80
CVE-2024-39363Shared CWE-80
CVE-2024-13704Shared CWE-80
CVE-2026-40873Shared CWE-80
CVE-2025-53835Shared CWE-80
CVE-2026-32891Shared CWE-80
CVE-2026-33080Shared CWE-80
CVE-2026-2995Shared CWE-80

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input such as the 'shortcode' parameter before processing, blocking the reflected XSS payload at its source.

prevent

Mandates output filtering/encoding on dynamic content, preventing execution of injected scripts that result from missing escaping in plugin files like wppa-ajax.php.

prevent

Requires timely remediation of known flaws, directly addressed by applying the developer patch beyond version 9.1.05.008 that fixes the sanitization and escaping deficiencies.

References