CVE-2025-13693 in Image Photo Gallery Final Tiles Grid Plugin
Summary
by MITRE • 12/21/2025
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom scripts' setting in all versions up to, and including, 3.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/21/2025
The Image Photo Gallery Final Tiles Grid plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2025-13693 affecting all versions through 3.6.8. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's 'Custom scripts' configuration setting, creating a persistent security flaw that can be exploited by authenticated attackers possessing at least author-level privileges. The flaw allows malicious actors to inject arbitrary web scripts that execute whenever any user accesses pages containing the injected content, making this a particularly dangerous vulnerability due to its persistence and the broad impact it can have on user sessions and system integrity.
The technical exploitation of this vulnerability occurs through the plugin's administrative interface where the 'Custom scripts' setting accepts user input without proper sanitization processes. When an authenticated attacker with author-level access or higher modifies this setting, they can inject malicious javascript code that gets stored within the plugin's configuration. This stored script then executes in the context of any user who accesses pages where the gallery is displayed, effectively creating a server-side code injection vector that bypasses standard client-side security measures. The vulnerability maps directly to CWE-79 which describes cross-site scripting flaws where untrusted data is improperly escaped before being returned to users, and aligns with ATT&CK technique T1566.001 which covers spearphishing attachments and links that can lead to code execution.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with the ability to hijack user sessions, steal sensitive information, and potentially escalate privileges within the WordPress environment. Attackers can craft malicious scripts that redirect users to phishing sites, steal cookies and authentication tokens, or even modify content displayed to users. The persistence of the vulnerability means that once exploited, the malicious scripts remain active until manually removed from the plugin configuration, creating a long-term security risk for affected WordPress installations. This vulnerability particularly impacts websites where authors or contributors have access to plugin settings, as it requires minimal privileges to exploit but can cause significant damage to user trust and data integrity.
Mitigation strategies for CVE-2025-13693 should prioritize immediate plugin updates to versions that address the sanitization and escaping deficiencies. Administrators should implement strict access controls limiting who can modify plugin configurations, particularly those that accept user input. Input validation should be strengthened to filter out potentially malicious script content before storage, while output escaping must be enforced to prevent script execution in rendered pages. Regular security audits of plugin configurations and user permissions should be conducted to identify and remediate similar vulnerabilities. Organizations should also consider implementing web application firewalls to detect and block suspicious script injections, while maintaining detailed logging of configuration changes to enable rapid incident response when vulnerabilities are exploited. The vulnerability demonstrates the critical importance of proper input validation and output escaping in web applications, aligning with security best practices outlined in OWASP Top 10 and NIST cybersecurity frameworks.