CVE-2025-15665 in Ultimate Before After Image Slider & Gallery Plugininfo

Summary

by MITRE • 07/14/2026

The Ultimate Before After Image Slider & Gallery WordPress plugin before 4.7.1 does not escape the value of the BEAF Slider widget's shortcode field before outputting it on the front end (the value is passed through do_shortcode, which echoes non-shortcode content verbatim), allowing users with administrator-level access to store a script that executes in the browser of any visitor who loads a page displaying the widget.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

The Ultimate Before After Image Slider & Gallery WordPress plugin versions prior to 4.7.1 contain a critical cross-site scripting vulnerability that stems from improper sanitization of user input within the BEAF Slider widget functionality. This vulnerability exists in the shortcode field processing mechanism where the plugin fails to properly escape or sanitize the content before rendering it on the frontend of the website. The flaw occurs when administrators create or modify slider widgets, as the plugin stores the shortcode value directly without appropriate output escaping mechanisms. When visitors access pages containing these widgets, the stored shortcode content is processed through the do_shortcode function which then echoes non-shortcode content verbatim, creating an execution environment for malicious scripts.

The technical exploitation of this vulnerability relies on the principle that administrators possess sufficient privileges to inject malicious code into the plugin's shortcode field. This represents a classic stored cross-site scripting scenario where the malicious payload is persisted in the database and executed whenever legitimate users view pages containing the vulnerable widget. The vulnerability specifically manifests when the do_shortcode function processes user-supplied input without adequate sanitization, allowing script tags or other malicious content to be rendered as active HTML elements. Attackers can leverage this weakness to execute arbitrary JavaScript code within the context of any user's browser session, potentially leading to session hijacking, credential theft, or redirection to malicious sites.

The operational impact of this vulnerability extends beyond simple XSS exploitation and represents a significant threat to WordPress site integrity and user security. Administrators who store malicious code in the slider widget can effectively compromise all visitors to pages containing that content, making it particularly dangerous for high-traffic websites or those with sensitive user data. The vulnerability is particularly concerning because it requires only administrator-level access to exploit, meaning that compromised admin accounts can immediately begin executing attacks against site visitors. This threat model aligns with CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), which specifically addresses the failure to sanitize user input before including it in web page output.

Mitigation strategies for this vulnerability should prioritize immediate plugin updates to version 4.7.1 or later where the escaping mechanism has been implemented. Administrators must also implement proper input validation and sanitization practices for all user-supplied content within WordPress plugins, particularly when processing shortcode parameters. The recommended security approach involves applying the principle of least privilege by limiting administrator access to only necessary functions and implementing Content Security Policy headers to reduce the impact of successful XSS attacks. Additionally, regular security audits of plugin code should be conducted to identify similar output escaping vulnerabilities, as this issue demonstrates how insufficient sanitization can create persistent security risks that affect all site visitors. Organizations should also consider implementing web application firewalls and monitoring systems to detect and prevent exploitation attempts targeting such vulnerabilities.

This vulnerability exemplifies the broader challenge of maintaining secure WordPress ecosystems where third-party plugins often contain security flaws that can be exploited by attackers with minimal privileges. The ATT&CK framework categorizes this type of vulnerability under T1566 - Phishing, as it enables attackers to create malicious content that appears legitimate and can be delivered to unsuspecting users. The risk is amplified when considering that many WordPress sites operate without proper security hardening measures, making such vulnerabilities particularly attractive targets for automated exploitation tools that scan for known weaknesses in popular plugins.

Responsible

WPScan

Reservation

06/23/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!