CVE-2025-15665
Description
The Ultimate Before After Image Slider & Gallery WordPress plugin before 4.7.1 does not escape the value of the BEAF Slider widget's shortcode field before outputting it on the front end (the value is passed through do_shortcode, which echoes non-shortcode content verbatim), allowing users with administrator-level access to store a script that executes in the browser of any visitor who loads a page displaying the widget.
Metadata
Severity & Metrics
No CVSS data available.
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Unknown | Ultimate Before After Image Slider & Gallery | — | 0 < 4.7.1 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| — | cna | CWE-79 Cross-Site Scripting (XSS) |