Attack Vectors
The vulnerability in Album and Image Gallery Plus Lightbox (slug: album-and-image-gallery-plus-lightbox) affects WordPress sites running plugin versions 2.1.7 and earlier. It is a Medium severity issue (CVSS 6.4) identified as CVE-2025-13612.
An attacker needs to be an authenticated WordPress user with at least Contributor permissions (or higher). From there, they can place a malicious payload inside the plugin’s aigpl-gallery-album shortcode attributes on a page or post they can create or edit. Because the payload is stored, it can trigger later when other users view that page—without the viewer needing to click anything.
Security Weakness
CVE-2025-13612 is a Stored Cross-Site Scripting (XSS) flaw caused by insufficient input sanitization and output escaping of user-supplied shortcode attributes in Album and Image Gallery Plus Lightbox up to version 2.1.7.
In practical business terms, this means the website can unintentionally save and later display attacker-controlled content in a way that runs in a visitor’s browser. The risk is heightened because it can execute for anyone who loads the affected page, potentially including executives, marketing staff, customers, and partners.
Technical or Business Impacts
Stored XSS is often a “trust-breaker” vulnerability: it can allow an attacker to run scripts in the context of your legitimate website. For marketing directors and business leaders, the key concern is not just a technical flaw—it’s the potential for brand damage and loss of customer confidence if site pages are used to display or execute unwanted behavior.
Potential impacts include: disruption of website content and campaigns, misleading calls-to-action, interference with lead-generation forms, reputational harm from visible defacement-like behavior, and increased risk of unauthorized actions performed under a logged-in user’s session. Because this issue requires Contributor-level access, organizations should also consider insider risk and compromised user accounts as realistic scenarios.
Remediation: Update Album and Image Gallery Plus Lightbox to version 2.1.8 or newer. Track the CVE record for reference: https://www.cve.org/CVERecord?id=CVE-2025-13612. Vendor intelligence and details are also available via Wordfence: https://www.wordfence.com/threat-intel/vulnerabilities/id/47cd99ef-d9b0-4be3-8dc4-d7dd56f37c1c.
Similar Attacks
Stored XSS has been used in real-world breaches to impact brand trust, user safety, and business operations. Examples include:
CISA alerts highlighting web application vulnerabilities (including XSS) in enterprise environments
Publicly cataloged real-world XSS vulnerabilities (CWE-79) across major products
OWASP overview of Cross-Site Scripting and common exploitation patterns
Recent Comments