Description
The Meta-box GalleryMeta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-01-24
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The Meta‑box GalleryMeta plugin for WordPress contains a stored cross‑site scripting flaw that is triggered by the image caption field in its administrative interface. An attacker who is authenticated with editor‑level rights or higher can submit a malicious script; that script will be stored and subsequently executed whenever a visitor loads a page that displays the manipulated caption. The CVE description does not provide any evidence of additional impact such as session hijacking, defacement or phishing; those outcomes are therefore not confirmed but remain possible if the script is capable of performing such actions.

Affected Systems

All releases of the Meta‑box GalleryMeta plugin up to and including version 3.0.1 are affected. The vulnerability is limited to multi‑site WordPress installations and only when the unfiltered_html capability has been disabled. Users who own the plugin under these conditions and hold editor or higher roles are thus at risk.

Risk and Exploitability

The moderate CVSS score of 4.4 indicates that the integrity and confidentiality of site content can be compromised, but the risk of loss of availability is low. An EPSS score of less than 1 % suggests that, as of the time of analysis, the likelihood of exploitation is very low. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated session with at least editor privileges and the ability to edit the gallery caption via the plugin’s admin settings; once the malicious payload is stored, it executes for any user who views the affected gallery page.

Generated by OpenCVE AI on April 15, 2026 at 21:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Meta‑box GalleryMeta to a version newer than 3.0.1 if such a release is available.
  • If no newer release exists, consider removing the image caption feature from the plugin or uninstalling the plugin entirely to eliminate the input vector.
  • Implement input sanitization for the caption field, such as using wp_kses_post, or deploy a web application firewall rule that blocks common XSS payloads.

Generated by OpenCVE AI on April 15, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 24 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Meta-box GalleryMeta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Meta-box GalleryMeta <= 3.0.1 - Authenticated (Editor+) Stored Cross-Site Scripting via Image Caption
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:31.757Z

Reserved: 2026-01-21T18:56:57.029Z

Link: CVE-2026-1302

cve-icon Vulnrichment

Updated: 2026-01-26T18:00:25.732Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T09:15:54.523

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1302

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:45:14Z

Weaknesses