CVE-2025-11866

Name of the Vulnerable Software and Affected Versions Photographers galleries plugin for WordPress versions up to and including 1.1.8

Description The Photographers galleries plugin for WordPress is susceptible to Stored Cross-Site Scripting through multiple shortcode attributes, including w, h, raw css, and look. The issue arises from insufficient sanitization of user input and inadequate output escaping when these values are incorporated into HTML attributes and inline styles. This allows authenticated attackers with contributor-level access or higher to inject malicious web scripts into pages. These scripts will then execute whenever a user accesses the compromised page.

Recommendations Versions prior to 1.1.8 should be updated to a newer version that addresses this issue.