Cyber Posture

CVE-2025-14835

High

Published: 07 January 2026

Published
07 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0024 47.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14835 is a high-severity Basic XSS (CWE-80) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 47.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious Link (T1204.001) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

Reflected XSS via malicious link directly enables user execution of injected JavaScript in browser context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated…

more

attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Deeper analysisAI

CVE-2025-2025-14835 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-80, in the WP Photo Album Plus plugin for WordPress. It affects all versions up to and including 9.1.05.008 due to insufficient input sanitization and output escaping of the 'shortcode' parameter. The vulnerability has a CVSS v3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity with network accessibility and changed scope.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity by tricking users into performing actions such as clicking a malicious link. This enables injection of arbitrary web scripts into pages, which execute in the victim's browser context upon successful social engineering.

References point to specific code locations in vulnerable files such as wppa-ajax.php (lines 43 and 1130), wppa-filter.php (line 125), and wppa-functions.php (line 5617) from tag 9.1.05.004. A changeset in the plugin's trunk repository, spanning changes 3426267 to 3427638, indicates developer-applied fixes. Mitigation requires updating the WP Photo Album Plus plugin to a version beyond 9.1.05.008.

Details

CWE(s)
CWE-80

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-22501Shared CWE-80
CVE-2024-46910Shared CWE-80
CVE-2026-6002Shared CWE-80
CVE-2024-39363Shared CWE-80
CVE-2025-53835Shared CWE-80
CVE-2026-32891Shared CWE-80
CVE-2025-21612Shared CWE-80
CVE-2025-24680Shared CWE-80
CVE-2026-33080Shared CWE-80
CVE-2024-13497Shared CWE-80

References