Skip to main content

Envira Gallery Image Photo Gallery Albums Video Gallery Slideshows More

1 CVEs product

Monthly

CVE-2026-5361 MEDIUM This Month

Stored Cross-Site Scripting in Envira Gallery Lite (WordPress plugin, versions ≤ 1.12.4) enables authenticated attackers with Author-level access to inject persistent arbitrary JavaScript into gallery pages via the REST API. The attack exploits a context mismatch: the `arrows` gallery parameter is omitted from `sanitize_config_values()` sanitization, and `gallery_init()` escapes it with `esc_attr()` — a function designed for HTML attribute contexts, not inline JavaScript — allowing JavaScript expression injection that executes in any visitor's browser. No public exploit or active exploitation has been identified; EPSS is 0.01% and CISA KEV status is absent, placing this firmly in the low-immediate-risk tier despite its persistent, cross-user impact.

XSS WordPress Envira Gallery Image Photo Gallery Albums Video Gallery Slideshows More
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Envira Gallery Lite (WordPress plugin, versions ≤ 1.12.4) enables authenticated attackers with Author-level access to inject persistent arbitrary JavaScript into gallery pages via the REST API. The attack exploits a context mismatch: the `arrows` gallery parameter is omitted from `sanitize_config_values()` sanitization, and `gallery_init()` escapes it with `esc_attr()` — a function designed for HTML attribute contexts, not inline JavaScript — allowing JavaScript expression injection that executes in any visitor's browser. No public exploit or active exploitation has been identified; EPSS is 0.01% and CISA KEV status is absent, placing this firmly in the low-immediate-risk tier despite its persistent, cross-user impact.

XSS WordPress Envira Gallery Image Photo Gallery Albums Video Gallery Slideshows More
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy