Description
The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login_link shortcode in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the 'prefix' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) leading to arbitrary script execution
Action: Patch Up
AI Analysis

Impact

The plugin allows stored XSS through its login_link shortcode. An authenticated user with Contributor or higher privileges can supply a value for the prefix attribute that is stored and later rendered without proper sanitization. The injected payload executes in the browser context whenever a page containing the shortcode is viewed, providing a vector for session hijacking, defacement, or theft of credentials. The weakness is a classic reflected/embedded XSS flaw, catalogued as CWE‑79.

Affected Systems

The Gallagher Website Design WordPress plugin, all releases up to and including version 2.6.4. Systems employing this plugin on a WordPress installation are potentially vulnerable if users can create or edit content using the login_link shortcode.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity vulnerability. Because the bug requires authenticated access at the Contributor level or higher, attackers must first gain or already possess such permissions. No EPSS information is available, and the issue is not listed in CISA’s KEV catalog, suggesting limited known exploitation. Nonetheless, the stored nature of the flaw means any authenticated user can place harmful scripts that will run for all other site visitors. The absence of an official fix in the provided data means administrators should treat this as a high‑priority mitigation.

Generated by OpenCVE AI on April 22, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Gallagher Website Design plugin to a version later than 2.6.4, if available, to apply the vendor’s fix for the XSS bug.
  • If no newer version exists, remove or disable the login_link shortcode from public posts to prevent the injection vector.
  • Ensure that only trusted users have Contributor or higher privileges, and audit user roles to reduce the risk of malicious payload submission.
  • Implement a site‑wide input sanitization layer or web application firewall rule that blocks malicious scripts in content added via the prefix attribute.

Generated by OpenCVE AI on April 22, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Gallagherwebsitedesign
Gallagherwebsitedesign gallagher Website Design
Wordpress
Wordpress wordpress
Vendors & Products Gallagherwebsitedesign
Gallagherwebsitedesign gallagher Website Design
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Description The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login_link shortcode in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the 'prefix' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Gallagher Website Design <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'prefix' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Gallagherwebsitedesign Gallagher Website Design
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T09:27:20.844Z

Reserved: 2026-02-04T15:37:47.705Z

Link: CVE-2026-1913

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-22T10:16:50.853

Modified: 2026-04-22T10:16:50.853

Link: CVE-2026-1913

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:43:40Z

Weaknesses