CVE-2025-15665 PUBLISHED

BEAF < 4.7.1 - Admin+ Stored XSS via Widget Shortcode Field

Assigner: WPScan
Reserved: 23.06.2026 Published: 14.07.2026 Updated: 14.07.2026

The Ultimate Before After Image Slider & Gallery WordPress plugin before 4.7.1 does not escape the value of the BEAF Slider widget's shortcode field before outputting it on the front end (the value is passed through do_shortcode, which echoes non-shortcode content verbatim), allowing users with administrator-level access to store a script that executes in the browser of any visitor who loads a page displaying the widget.

Product Status

Vendor Unknown
Product Ultimate Before After Image Slider & Gallery
Versions Default: unaffected
  • affected from 0 to 4.7.1 (excl.)

Credits

  • Dmitrii Ignatyev finder
  • WPScan coordinator

References

Problem Types

  • CWE-79 Cross-Site Scripting (XSS) CWE