CVE-2026-42688

Vulnerability

The Modula Image Gallery plugin for WordPress versions up to and including 2.14.23 contains a Stored Cross-Site Scripting (XSS) vulnerability [1]. The flaw resides in input handling within the plugin's gallery component, allowing authenticated users with Subscriber-level privileges (the lowest role) to inject arbitrary HTML and JavaScript payloads. The injected payload is stored and subsequently rendered on pages displaying the gallery, with no requirement for special configuration beyond having the plugin active.

Exploitation

An attacker must first authenticate with a Subscriber account (or a role with equivalent or lower privileges). They can then supply a crafted payload through an input field (such as a gallery title, caption, or other user-controlled parameter) that is not properly sanitized. Successful exploitation further requires a privileged user (e.g., an Administrator or Editor) to perform an action that triggers the stored payload, such as viewing the gallery settings or the gallery itself in the admin panel or on the front-end. The vulnerability is classified as requiring user interaction [1].

Impact

Upon execution of the malicious script, the attacker achieves persistent code execution in the context of any visitor's browser. This can be used to redirect visitors to fraudulent websites, display unauthorized advertisements, steal session cookies, or perform actions on behalf of the victim, including administrative actions if the victim is a higher-privileged user. The attacker gains the ability to compromise the integrity and confidentiality of the affected WordPress site and its users.

Mitigation

The vulnerability is fully resolved in plugin version 2.14.24 [1]. Users are strongly advised to update to this version or any later release immediately. As a temporary workaround, Patchstack users can enable the provided virtual patch to block attacks until the plugin is updated. No other official mitigation has been disclosed beyond updating [1].