Image Hover Effects Ultimate - Reflected cross-site scripting (XSS)

Description

Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) 9.9.4 was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/Classes/Support_Recommended.php.

Vulnerability

Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) 9.9.4. The following is the output of the tool:

Skims output

 137 | {
 138 |
 139 | $wpnonce = sanitize_key(wp_unslash($_POST['_wpnonce']));
 140 | if (!wp_verify_nonce($wpnonce, 'image_hover_ultimate')) :
 141 | return new \WP_REST_Request('Invalid URL', 422);
 142 | die();
 143 | endif;
 144 |
 145 | $notice = $_POST['notice'];
 146 | update_option('oxi_image_hover_recommended', $notice);
> 147 |         echo $notice;
  148 |         die();
  149 |     }
  150 |
  151 |
  152 |     public function extension()
  153 |     {
  154 |         $response = get_transient(self::GET_LOCAL_PLUGINS);
  155 |         if (!$response || !is_array($response)) {
  156 |             $URL = self::PLUGINS;
  157 |             $request = wp_remote_request($URL);
      ^ Col 0

Our security policy

We have reserved the ID CVE-2025-0774 to refer to this issue from now on.

Disclosure policy

System Information

• Version: Image Hover Effects Ultimate 9.9.4

Mitigation

There is currently no patch available for this vulnerability.