Description
The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Loading Label' setting in all versions up to, and including, 5.1.3. The plugin uses a custom `|***...***|` marker pattern in its `fixJsFunction()` method to embed raw JavaScript function references within JSON-encoded configuration objects. When a gallery's options are rendered on the frontend, `json_encode()` wraps all string values in double quotes. The `fixJsFunction()` method then strips the `"|***` and `***|"` sequences, effectively converting a JSON string value into raw JavaScript code. The Loading Label field (stored as `rbs_gallery_LoadingWord` post_meta) is an `rbstext` type field that is sanitized with `sanitize_text_field()` on save. While this strips HTML tags, it does not strip the `|***...***|` markers since they contain no HTML. When a user inputs `|***alert(document.domain)***|`, the value passes through sanitization intact, is stored in post_meta, and is later retrieved and output within an inline `<script>` tag via `renderMainBlock()` with the quote markers stripped — resulting in arbitrary JavaScript execution. The gallery post type uses `capability_type => 'post'`, allowing Author-level users to create galleries. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page containing the gallery shortcode.
Published: 2026-04-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS via authenticated 'Loading Label' setting
Action: Immediate Patch
AI Analysis

Impact

The plugin processes a custom marker in JSON configuration that is later stripped during rendering, allowing a stored script to run inside an inline <script> tag on any page that displays the gallery. An attacker can thus inject JavaScript that executes in the browsers of all visitors to those pages, enabling session theft, defacement, or other malicious actions.

Affected Systems

WordPress sites installing Robo Gallery – Photo & Image Slider version 5.1.3 or earlier. The vulnerability is triggered by users with Author-level or higher capabilities, who can create or edit gallery posts.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires only authenticated access with Author privileges; no privilege escalation or additional conditions are needed. The impact is limited to pages containing the gallery, but the script runs in any visitor’s browser and can affect all users who view the gallery.

Generated by OpenCVE AI on April 8, 2026 at 10:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Robo Gallery to version 5.1.4 or later
  • If an upgrade is not possible, disable or remove the 'Loading Label' option from gallery settings to block script injection
  • Delete or sanitize any existing gallery posts that contain malicious markers
  • Consider limiting or revoking Author permissions if not needed for content creation

Generated by OpenCVE AI on April 8, 2026 at 10:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/base-grid/grid/grid.v1.php#L89 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/base-grid/layout.v1.php#L101 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/base-grid/layout.v1.php#L52 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/class/jsoptions.php#L87 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/frontend/modules/class/jsoptions.php#L97 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/robo-gallery/tags/5.1.3/includes/options/rbs_gallery_options_loading.php#L95 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/base-grid/grid/grid.v1.php#L89 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/base-grid/layout.v1.php#L101 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/base-grid/layout.v1.php#L52 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/class/jsoptions.php#L87 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/frontend/modules/class/jsoptions.php#L97 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/includes/options/rbs_gallery_options_loading.php#L95 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3488182%40robo-gallery&new=3488182%40robo-gallery&sfp_email=&sfph_mail= cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/d8693b7d-693f-450a-89ef-e936a8813ca9?source=cve cve-icon cve-icon
History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Robosoft
Robosoft robo Gallery – Photo & Image Slider
Wordpress
Wordpress wordpress
Vendors & Products Robosoft
Robosoft robo Gallery – Photo & Image Slider
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Description The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Loading Label' setting in all versions up to, and including, 5.1.3. The plugin uses a custom `|***...***|` marker pattern in its `fixJsFunction()` method to embed raw JavaScript function references within JSON-encoded configuration objects. When a gallery's options are rendered on the frontend, `json_encode()` wraps all string values in double quotes. The `fixJsFunction()` method then strips the `"|***` and `***|"` sequences, effectively converting a JSON string value into raw JavaScript code. The Loading Label field (stored as `rbs_gallery_LoadingWord` post_meta) is an `rbstext` type field that is sanitized with `sanitize_text_field()` on save. While this strips HTML tags, it does not strip the `|***...***|` markers since they contain no HTML. When a user inputs `|***alert(document.domain)***|`, the value passes through sanitization intact, is stored in post_meta, and is later retrieved and output within an inline `<script>` tag via `renderMainBlock()` with the quote markers stripped — resulting in arbitrary JavaScript execution. The gallery post type uses `capability_type => 'post'`, allowing Author-level users to create galleries. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page containing the gallery shortcode.
Title Robo Gallery <= 5.1.3 - Authenticated (Author+) Stored Cross-Site Scripting via 'Loading Label' Setting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Robosoft Robo Gallery – Photo & Image Slider
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:49.967Z

Reserved: 2026-03-16T19:53:16.672Z

Link: CVE-2026-4300

cve-icon Vulnrichment

Updated: 2026-04-08T14:17:52.726Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T10:16:01.953

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-4300

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:53Z

Weaknesses