Description
The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the update_gallery_data() function and improper output escaping in the gallery_init() function. The sanitize_config_values() function only sanitizes the justified_gallery_theme and justified_row_height parameters, but does not sanitize the arrows parameter. When the arrows value is output in the inline JavaScript configuration, it uses esc_attr() which is designed for HTML attribute contexts, not JavaScript contexts, allowing JavaScript expression injection. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-14
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Envira Gallery Lite plugin for WordPress contains insufficient input sanitization in the update_gallery_data() function and improper output escaping in gallery_init(). The plugin sanitizes only a subset of parameters and then outputs the 'arrows' value into inline JavaScript using esc_attr(), which is inappropriate for JavaScript contexts. This flaw allows authenticated users with Author privileges or higher to inject arbitrary JavaScript code that will execute whenever any visitor loads a page containing the injected gallery configuration, potentially stealing session data or defacing content.

Affected Systems

WordPress installations using Envira Gallery Lite version 1.12.4 or earlier. The vulnerability is triggered through the plugin’s REST API endpoint and requires that an account with Author role or higher exists on the site.

Risk and Exploitability

The CVSS score of 6.4 places the flaw in the moderate range, and the EPSS score is currently unavailable; it is not listed in the CISA KEV catalog. Attackers can exploit the weakness by submitting a crafted REST request to update_gallery_data() from a privileged account. Once the malicious script is stored in the gallery configuration, it will be executed in the context of any visitor who loads the gallery page, leading to significant confidentiality and integrity risks. The likelihood of exploitation is elevated because the plugin is widely used and the REST endpoint is exposed publicly on sites that enable REST API access.

Generated by OpenCVE AI on May 14, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Envira Gallery Lite to version 1.12.5 or later, which fixes the sanitization and escaping issue
  • If an upgrade is not immediately possible, restrict or remove all Author‑level accounts that are not required for normal site operation so the vulnerability cannot be exercised
  • Configure a web application firewall or security plugin to block suspicious JavaScript payloads on the gallery REST API endpoint to mitigate the risk until a patch is applied

Generated by OpenCVE AI on May 14, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Smub
Smub envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More
Wordpress
Wordpress wordpress
Vendors & Products Smub
Smub envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More
Wordpress
Wordpress wordpress

Thu, 14 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the update_gallery_data() function and improper output escaping in the gallery_init() function. The sanitize_config_values() function only sanitizes the justified_gallery_theme and justified_row_height parameters, but does not sanitize the arrows parameter. When the arrows value is output in the inline JavaScript configuration, it uses esc_attr() which is designed for HTML attribute contexts, not JavaScript contexts, allowing JavaScript expression injection. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Envira Gallery <= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via 'arrows' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Smub Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T10:47:27.431Z

Reserved: 2026-04-01T17:20:59.284Z

Link: CVE-2026-5361

cve-icon Vulnrichment

Updated: 2026-05-14T10:47:22.837Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T05:16:44.933

Modified: 2026-05-14T14:29:01.600

Link: CVE-2026-5361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:00Z

Weaknesses