CVE-2026-4766

Vulnerability

The Easy Image Gallery plugin for WordPress (versions up to and including 1.5.3) is vulnerable to Stored Cross-Site Scripting (XSS) via the Gallery shortcode post meta field. The vulnerability exists because the plugin fails to properly sanitize user-supplied gallery shortcode values before storing them in post meta. This affects the easy_image_gallery_get_post_meta() function in template-functions.php [1][2], where the shortcode data is retrieved and subsequently used without adequate output escaping.

Exploitation

An attacker must be authenticated with at least Contributor-level access to WordPress (i.e., the ability to create or edit posts with post meta fields). The attacker injects malicious JavaScript into the gallery shortcode post meta via the post editor (e.g., by crafting a gallery shortcode value containing script payloads). When the post is subsequently rendered and a victim (including higher-privileged users or administrators) views the page, the stored script executes in the context of the victim's browser session [1][2]. No user interaction beyond viewing the compromised page is required.

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts in the browsers of users who access the injected page. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information (e.g., authentication cookies). The injected script runs under the security context of the victim's session, potentially enabling actions with the victim's privileges, including administrative actions if the victim is an administrator [1][2].

Mitigation

As of the published date (2026-03-25), no fixed version has been released for the Easy Image Gallery plugin; all versions up to and including 1.5.3 are affected. Users should review the plugin's update status and consider disabling the plugin or removing access for untrusted contributors until a patch is provided. There is no known workaround published in the available references [1][2].