๐Ÿ” CVE Alert

CVE-2025-15665

MEDIUM 5.4

BEAF < 4.7.1 - Admin+ Stored XSS via Widget Shortcode Field

CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th

The Ultimate Before After Image Slider & Gallery WordPress plugin before 4.7.1 does not escape the value of the BEAF Slider widget's shortcode field before outputting it on the front end (the value is passed through do_shortcode, which echoes non-shortcode content verbatim), allowing users with administrator-level access to store a script that executes in the browser of any visitor who loads a page displaying the widget.

Vendor unknown
Product ultimate before after image slider & gallery
Published Jul 14, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for unknown ultimate before after image slider & gallery

Be the first to know when new medium vulnerabilities affecting unknown ultimate before after image slider & gallery are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / Ultimate Before After Image Slider & Gallery
0 < 4.7.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/754f0960-efc8-426f-bb1d-7cceec920910/

Credits

Dmitrii Ignatyev WPScan