Attack Vectors

Gallery by FooGallery (plugin slug: foogallery) is affected by a Medium-severity vulnerability (CVSS 6.4) tracked as CVE-2026-25362. The issue impacts versions up to and including 3.1.11.

This is an authenticated, Author+ stored cross-site scripting (XSS) scenario. That means an attacker must first have a legitimate WordPress login with author-level permissions or higher (for example, a compromised author account, a malicious contractor, or an internal account misused). From there, they can inject script content into pages in a way that can execute when others view the affected page.

Because it is stored XSS, the malicious content can persist in your site content and execute repeatedly for each visitor or staff member who loads the impacted page(s), increasing business exposure over time.

Security Weakness

According to the published advisory, the vulnerability exists due to insufficient input sanitization and output escaping in FooGallery versions up to 3.1.11. In practical terms, the plugin may allow certain user-controlled inputs to be saved and later rendered in the browser in a way that can be interpreted as executable script.

There is no known patch available at this time per the source advisory. This changes the risk posture from “update and move on” to “mitigate, monitor, and potentially replace,” depending on your organization’s risk tolerance and how critical FooGallery is to your website operations.

Technical or Business Impacts

Stored XSS can create direct business risk even when it starts with an authenticated user. If an attacker injects malicious scripts into a high-traffic page, they may be able to:

Brand and customer trust damage: Visitors can be redirected to scam pages, shown fake popups, or served modified content that harms your brand credibility and conversion rates.

Account and session risk: Scripts that run in a user’s browser can potentially be used to abuse active sessions, increasing the chance of further account takeover or unauthorized actions performed as that user.

Compliance and privacy concerns: If malicious scripts manipulate forms, pixels, or on-page content, this can affect consent flows, tracking integrity, and potentially expose user data—creating regulatory and contractual risk, especially for organizations with formal compliance requirements.

Operational disruption: Incident response often requires page-by-page review and cleanup of injected content, temporary page takedowns, and emergency access control changes—diverting marketing and web teams from planned campaigns.

With no known patch, consider mitigations aligned to your risk tolerance: restricting or reducing author-level access, reviewing and monitoring content changes, tightening editorial workflows, and evaluating whether uninstalling FooGallery and replacing it with an alternative is the most prudent path.

Similar Attacks

Stored or self-propagating XSS has historically caused significant business disruption on major platforms. Two well-known examples include:

The “Samy” worm (MySpace) — a classic example of how XSS can spread rapidly and create platform-wide impact.

Twitter XSS worm incident (2010) — demonstrated how quickly browser-executed scripts can propagate and disrupt user experiences at scale.