Skip to main content

Mosaic Gallery CVE-2026-57755

| EUVDEUVD-2026-41311 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-7895-6924-w5f6
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Contributor authentication required (PR:L), scope changes to victim browser (S:C); XSS does not directly cause availability impact so A:N is more accurate.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:29 vuln.today

DescriptionCVE.org

Contributor Cross Site Scripting (XSS) in Mosaic Gallery &#8211; Advanced Gallery <= 1.2.0 versions.

AnalysisAI

Stored or reflected Cross-Site Scripting in the Mosaic Gallery - Advanced Gallery WordPress plugin (versions <= 1.2.0) is exploitable by authenticated users holding a Contributor role. A Contributor-level attacker can inject malicious JavaScript into gallery content, which executes in the browsers of higher-privileged users - such as editors or administrators - who subsequently view the affected page, enabling session hijacking or unauthorized administrative action. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain Contributor account
Delivery
Inject XSS payload into gallery field
Exploit
Submit content for review
Execution
Privileged user views affected page
Persist
Malicious script executes in admin browser
Impact
Exfiltrate session token or perform admin action

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a WordPress Contributor account (or higher) on the target site - this is the primary limiting factor (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.5 (Medium) is backed by a vector of AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or already holds a Contributor account on the target WordPress site and embeds a JavaScript payload (such as a cookie-exfiltrating script) within a gallery block or shortcode field in the Mosaic Gallery - Advanced Gallery plugin while drafting a post. When an administrator reviews, edits, or views the post, the injected script executes in the administrator's browser, transmitting their session token to an attacker-controlled endpoint and enabling account takeover. …
Remediation Update the Mosaic Gallery - Advanced Gallery plugin to the latest available version via the WordPress plugin repository or per the vendor's published patch, once confirmed beyond version 1.2.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57755 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy