CVE-2025-26581

High

Published: 26 March 2025

Published

26 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0011 29.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26581 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Directly mitigates reflected XSS by requiring filtering of web page outputs to neutralize malicious input before execution in victims' browsers.

SI-10 Information Input Validation good match

prevent

Prevents injection of malicious JavaScript payloads by validating all user inputs to the Picture Gallery plugin before processing or reflection.

SI-2 Flaw Remediation good match

prevent

Addresses the specific flaw in Picture Gallery versions <=1.6.3 through timely patching and flaw remediation to eliminate the improper neutralization vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Reflected XSS in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) via crafted malicious URLs and facilitates theft of web session cookies through injected JavaScript execution (T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in videowhisper Picture Gallery picture-gallery allows Reflected XSS.This issue affects Picture Gallery: from n/a through <= 1.6.3.

Deeper analysisAI

CVE-2025-26581 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the videowhisper Picture Gallery WordPress plugin (picture-gallery). It affects all versions from an unspecified starting point through 1.6.3. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low complexity, no required privileges, user interaction, and changed scope.

An unauthenticated attacker can exploit this vulnerability remotely by crafting malicious input that is reflected and executed as JavaScript in a victim's browser when they interact with a specially prepared web page or link. Exploitation requires user interaction, such as clicking a malicious URL, but achieves low impacts on confidentiality, integrity, and availability within a changed scope, potentially enabling session hijacking, data theft, or further site compromise in the victim's context.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/picture-gallery/vulnerability/wordpress-picture-gallery-plugin-1-5-23-csrf-to-stored-xss-vulnerability?_s_id=cve. Security practitioners should update to a patched version beyond 1.6.3 if available and apply standard XSS defenses like input sanitization and Content Security Policy.

Details

CWE(s): CWE-79

CVEs Like This One

CVE-2025-23681Shared CWE-79

CVE-2025-26879Shared CWE-79

CVE-2026-21264Shared CWE-79

CVE-2026-34559Shared CWE-79

CVE-2025-66376Shared CWE-79

CVE-2026-34932Shared CWE-79

CVE-2025-23960Shared CWE-79

CVE-2025-64538Shared CWE-79

CVE-2025-55208Shared CWE-79

CVE-2026-21284Shared CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/picture-gallery/vulnerability/wordpress-picture-gallery-plugin-1-5-23-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com