Description
The Tiled Gallery Carousel Without JetPack plugin for WordPress is vulnerable to stored cross-site scripting via the 'data-image-title' parameter in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-02
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Tiled Gallery Carousel Without JetPack plugin contains a stored cross‑site scripting flaw that occurs when the data‑image-title attribute is not sanitized. An authenticated user with contributor privilege can supply a malicious value that will be stored and later rendered without escaping, allowing client‑side code execution on any visitor that opens the gallery.

Affected Systems

All installations of Raja3c’s Tiled Gallery Carousel Without JetPack plugin version 3.1 or earlier are vulnerable. The flaw is independent of the underlying WordPress core version and will affect any WordPress site that hosts the vulnerable plugin.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity. EPSS is not available, and the flaw is not listed in CISA KEV. Attack requires authenticated contributor or higher access; the malicious payload is stored in the plugin’s database and rendered unescaped when a gallery page is displayed. Any user who visits the infected page will execute the injected script, creating a client‑side code execution channel that could be used for session hijacking, defacement, or phishing.

Generated by OpenCVE AI on June 2, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tiled Gallery Carousel Without JetPack plugin to a version newer than 3.1
  • If upgrading is not feasible, enforce strict input validation for the data-image-title parameter, ensuring it is properly escaped before rendering
  • Restrict contributor‑level access or review contributor permissions to reduce the risk of malicious script injection

Generated by OpenCVE AI on June 2, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Raja3c
Raja3c tiled Gallery Carousel Without Jetpack
Wordpress
Wordpress wordpress
Vendors & Products Raja3c
Raja3c tiled Gallery Carousel Without Jetpack
Wordpress
Wordpress wordpress

Tue, 02 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description The Tiled Gallery Carousel Without JetPack plugin for WordPress is vulnerable to stored cross-site scripting via the 'data-image-title' parameter in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Tiled Gallery Carousel Without JetPack <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-image-title'
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Raja3c Tiled Gallery Carousel Without Jetpack
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-02T10:43:52.796Z

Reserved: 2026-03-30T20:59:57.571Z

Link: CVE-2026-5191

cve-icon Vulnrichment

Updated: 2026-06-02T10:43:48.172Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T10:16:25.600

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-5191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:51:45Z

Weaknesses