CVE-2025-27004
Published: 08 January 2026
Summary
CVE-2025-27004 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-27004 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79. It affects the Famous - Responsive Image And Video Grid Gallery WordPress plugin (famous_grid_image_and_video_gallery) developed by LambertGroup, impacting all versions from n/a through 1.4 inclusive. The vulnerability was published on 2026-01-08.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can exploit it to inject and execute arbitrary scripts in the context of a victim's browser session, with scope changed to impact the plugin's hosting site, resulting in low confidentiality, integrity, and availability effects.
Patchstack advisories document the issue in their vulnerability database for the plugin up to version 1.4, providing details on the Reflected XSS flaw. Security practitioners should consult the referenced advisory at https://patchstack.com/database/Wordpress/Plugin/famous_grid_image_and_video_gallery/vulnerability/wordpress-famous-responsive-image-and-video-grid-gallery-wordpress-plugin-plugin-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for mitigation recommendations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1521
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Famous - Responsive Image And Video Grid Gallery WordPress Plugin famous_grid_image_and_video_gallery allows Reflected XSS.This issue affects Famous - Responsive Image And Video Grid Gallery WordPress Plugin: from…
more
n/a through <= 1.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of web app (T1190) via malicious link (T1204.001) to execute arbitrary JavaScript (T1059.007) in victim browser.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted input before web page generation, blocking the reflected XSS payload in the Famous plugin.
Requires filtering of information output to remove or encode script content, preventing execution of attacker-supplied reflected XSS in the victim's browser.
Provides mechanisms to detect and block malicious code (scripts) delivered via the vulnerable plugin's input parameters.