CVE-2025-6716: The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Str
mediumvulnerability
security
Summary
A WordPress plugin called 'Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery' has a vulnerability called Stored Cross-Site Scripting (XSS, where an attacker can hide malicious code in a webpage that runs when others view it) in versions up to 26.0.8. Attackers with Author-level permissions or higher can inject harmful scripts through the upload title field because the plugin doesn't properly clean and secure user input.
Vulnerability Details
CVSS Score
6.4(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack Type
Other
Attack SophisticationModerate
Impact (CIA+S)
integrity
AI Component TargetedPlugin
Affected Vendors
OpenAI
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-6716
First tracked: February 15, 2026 at 08:49 PM
Classified by LLM (prompt v3) · confidence: 75%