CVE-2025-4405
Published
CVSS v3
4.9
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT
Description
The Hot Random Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 1.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
<p>Hot Random Image by <a href="https://www.hotjoomlatemplates.com/" title="Hot Themes" rel="nofollow ugc">Hot Themes</a> is a basic plugin that shows a randomly picked image from a selected folder where images are stored. You can define a folder and the plugin will show all the images from this folder in a random order. Also, it’s possible to select only certain images from the folder that will be added in rotation. Each image can be linked. Alt text is optional. Image dimensions (width and height) can be defined in any format (pixels, percents, auto-mode…). Therefore, this plugin is appropriate for all responsive websites.</p>
WordPress Plugin Directory