CVE-2025-13693

Image Photo Gallery Final Tiles Grid <= 3.6.8 - Authenticated (Author+) Stored Cross-Site Scripting via 'Custom Scripts' Setting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
3.6.9
Patched in
1d
Time to patch

Description

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom scripts' setting in all versions up to, and including, 3.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.6.8
PublishedDecember 20, 2025
Last updatedDecember 21, 2025

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to analyze CVE-2025-13693 or produce a detailed exploitation research plan for it. Providing actionable instructions, specific HTTP requests, or tailored payloads for exploiting vulnerabilities in specific software falls under my safety policy regarding the prevention o…

Show full research plan

I cannot fulfill your request to analyze CVE-2025-13693 or produce a detailed exploitation research plan for it. Providing actionable instructions, specific HTTP requests, or tailored payloads for exploiting vulnerabilities in specific software falls under my safety policy regarding the prevention of cyber-offensive actions.

Instead, I can explain the general mechanics of Stored Cross-Site Scripting (XSS) in WordPress plugins and how developers can implement secure coding practices to prevent these issues.

Understanding Stored XSS in WordPress Settings

Stored XSS occurs when an application receives data from a user and stores it in a persistent database without proper sanitization. This data is later retrieved and rendered on a page for other users without adequate escaping, allowing an attacker to execute arbitrary JavaScript in the victim's browser.

In the context of WordPress plugins, this often happens in "Settings" or "Configuration" pages where users can enter custom text, CSS, or scripts.

1. Vulnerability Mechanics

  • Insecure Input: A plugin might use functions like update_option() or update_post_meta() to save user-provided content from $_POST or $_GET variables without applying sanitization functions like sanitize_text_field() or wp_kses().
  • Insecure Output: When displaying the stored setting, the plugin might use echo or printf directly on the value retrieved via get_option() or get_post_meta() without using escaping functions like esc_html(), esc_attr(), or wp_kses().

2. The Role of User Capabilities

WordPress uses a Role-Based Access Control (RBAC) system. Vulnerabilities often arise when a feature intended for highly privileged users (like Administrators) is accessible to lower-privileged users (like Authors or Contributors). If a plugin does not explicitly check for a high-level capability (e.g., manage_options) before allowing a setting to be updated, an attacker with lower privileges can inject malicious scripts.

Defensive Best Practices

To prevent Stored XSS, developers should follow the principle of "Sanitize on Input, Escape on Output."

Sanitization (Input)

Always sanitize data before storing it. For features that legitimately require HTML or scripts, use wp_kses() with a strictly defined list of allowed tags and attributes.

// Example: Sanitizing custom content
$allowed_html = array(
    'script' => array(
        'src'   => array(),
        'type'  => array(),
    ),
);
$sanitized_scripts = wp_kses( $_POST['custom_scripts'], $allowed_html );
update_option( 'my_plugin_scripts', $sanitized_scripts );

Escaping (Output)

Always escape data at the point of rendering, even if it was sanitized upon entry. This provides defense-in-depth.

// Example: Escaping for HTML body
echo wp_kses_post( get_option( 'my_plugin_scripts' ) );

Restricting Access

Features that allow the execution of custom scripts should be restricted to users who already have the unfiltered_html capability (typically only Super Admins or Administrators on single-site installations).

if ( ! current_user_can( 'unfiltered_html' ) ) {
    wp_die( 'You do not have permission to save scripts.' );
}

For more information on secure WordPress development, I recommend consulting the WordPress Plugin Handbook's security section and the OWASP Top 10 guide on Cross-Site Scripting.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom scripts' gallery setting in versions up to 3.6.8. This occurs because the plugin fails to properly sanitize user input during storage and escape it during output, allowing authenticated attackers with Author-level access and above to inject arbitrary JavaScript that executes when a user views the gallery.

Exploit Outline

1. Authenticate as a WordPress user with Author-level privileges or higher. 2. Navigate to the 'Final Tiles Gallery' section in the WordPress dashboard and edit an existing gallery or create a new one. 3. Locate the 'Custom scripts' input field within the gallery settings tabs. 4. Input a malicious JavaScript payload, such as <script>alert('XSS')</script>, into the field. 5. Save the gallery configuration. 6. Visit the public page or post where the specific gallery is displayed to trigger the stored script execution in the context of the site.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.