{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11834", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-15T19:11:30.761Z", "datePublished": "2025-10-22T08:27:02.620Z", "dateUpdated": "2026-04-08T16:32:27.336Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:27.336Z"}, "affected": [{"vendor": "wiellyam", "product": "WP AD Gallery", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP AD Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'startindex' parameter of the ad-gallery shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WP AD Gallery <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0144ae03-00ce-481d-8d29-7a484f1f6cbf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ad-gallery/tags/1.3/shortcode/shortcode.php#L177"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-10-21T20:16:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-22T13:25:08.691831Z", "id": "CVE-2025-11834", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T13:25:15.996Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11834", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-22T13:25:08.691831Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T13:25:12.820Z"}}], "cna": {"title": "WP AD Gallery <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wiellyam", "product": "WP AD Gallery", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-21T20:16:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0144ae03-00ce-481d-8d29-7a484f1f6cbf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ad-gallery/tags/1.3/shortcode/shortcode.php#L177"}], "descriptions": [{"lang": "en", "value": "The WP AD Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'startindex' parameter of the ad-gallery shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:27.336Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11834", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:32:27.336Z", "dateReserved": "2025-10-15T19:11:30.761Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-22T08:27:02.620Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP AD Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'startindex' parameter of the ad-gallery shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-11834", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-22T09:15:34.730", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-ad-gallery/tags/1.3/shortcode/shortcode.php#L177"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0144ae03-00ce-481d-8d29-7a484f1f6cbf?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:36:41.252195+00:00", "value": {"mitigation_remediation": ["Upgrade the WP AD Gallery plugin to any version newer than 1.3 to eliminate the vulnerability", "If an upgrade is not immediately possible, remove or disable the WP AD Gallery plugin from the site", "Restrict contributor or higher level account privileges, and audit user roles to ensure only trusted users can submit content that contains shortcodes"], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting via the startindex parameter, allowing authenticated users with contributor level or higher to inject arbitrary JavaScript that executes in other users\u2019 browsers."}, "threat_synthesis": {"affected_systems": "All WordPress installations that use WP AD Gallery version 1.3 or earlier are affected. The vulnerability exists in every release up to and including 1.3 and is present across all platforms that support the plugin, such as sites hosted on shared or dedicated WordPress environments.", "description_and_impact": "The WP AD Gallery plugin for WordPress suffers from insufficient input sanitization and output escaping on the startindex parameter of the ad\u2011gallery shortcode. This flaw enables an authenticated attacker who possesses contributor\u2011level access or higher to inject arbitrary JavaScript code. When other users view a page that contains the malicious shortcode, the injected script runs with the victim\u2019s browser context.", "risk_and_exploitability": "The CVSS score of 6.4 represents a moderate severity; the EPSS score of less than 1% indicates a low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated with at least contributor privileges to exploit this issue. Once authenticated, the attacker can submit a crafted startindex value, resulting in stored cross\u2011site scripting that affects any user who afterwards visits the injected page. Because the flaw is stored, the malicious content persists until the shortcode is removed or the plugin is upgraded."}}}}, "created": "2025-10-23T10:07:59.832369+00:00", "updated": "2026-04-28T10:45:29.417626+00:00", "vendors": ["wiellyam", "wiellyam$PRODUCT$wp_ad_gallery", "wordpress", "wordpress$PRODUCT$wordpress"]}