CVE-2025-52788 HIGH

CVE-2025-52788: WordPress CaptionPix <= 1.8 - Cross Site Scripting (XSS) Vulnerability

Vendor Russell Jamieson
Product CaptionPix
Weakness CWE-79 · XSS
Published August 14, 2025
Last update May 12, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Russell Jamieson CaptionPix captionpix allows Reflected XSS.This issue affects CaptionPix: from n/a through <= 1.8.

Explanation of Vulnerability in Simple Terms

02Summary

CaptionPix versions 1.8 and earlier contain a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages. An attacker can craft a malicious link or page that, when visited by a site user, executes arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, or defacement. The vulnerability affects all versions from 0 through 1.8.

What an attacker can do

03Attacker Capabilities

Inject and execute malicious JavaScript in a user's browser to steal session data, credentials, or deface content.

Potential impact on your site

04Site Impact

Site visitors can be compromised without their knowledge; attackers may steal admin sessions or user data through malicious scripts.

Conditions required to exploit

05Prerequisites

A site user must visit an attacker-controlled link or page that triggers the vulnerability. No authentication required.

Key dates

06Disclosure timeline

August 14, 2025 CVE published
May 12, 2026 Record updated