CVE-2026-5361— Envira Gallery <= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via 'arrows' Parameter
Possible ATT&CK Techniques 3AI
T1133 · External Remote Services T1059.007 · JavaScript T1189 · Drive-by CompromiseAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| smub | Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More | ≤ 1.12.4 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-5361
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Envira Gallery <= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via 'arrows' Parameter
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the update_gallery_data() function and improper output escaping in the gallery_init() function. The sanitize_config_values() function only sanitizes the justified_gallery_theme and justified_row_height parameters, but does not sanitize the arrows parameter. When the arrows value is output in the inline JavaScript configuration, it uses esc_attr() which is designed for HTML attribute contexts, not JavaScript contexts, allowing JavaScript expression injection. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress plugin Envira Gallery Lite 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Envira Gallery Lite 1.12.4及之前版本存在跨站脚本漏洞,该漏洞源于update_gallery_data函数输入清理不足和gallery_init函数输出转义不当,可能导致经过身份验证的攻击者
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| smub | Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More | 0 ~ 1.12.4 | - |
II. Public POCs for CVE-2026-5361
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-5361
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: smub
- CVE-2026-6177
Custom Twitter Feeds <= 2.5.4 - Unauthenticated Stored Cross - CVE-2026-7619
Charitable <= 1.8.10.4 - Authenticated (Custom+) SQL Injecti - CVE-2026-5488
ExactMetrics <= 9.1.2 - Authenticated (Subscriber+) Missing - CVE-2026-5464
ExactMetrics <= 9.1.2 - Authenticated (Editor+) Arbitrary Pl - CVE-2026-3177
Charitable – Donation Plugin for WordPress – Fundraising wit
Same weakness: CWE-79
- CVE-2021-47981
Quick.CMS 6.7 Cross-Site Scripting via CSRF to Sliders Form - CVE-2021-47975
WordPress Plugin WP Learn Manager 1.1.2 Stored XSS - CVE-2021-47957
WordPress Plugin Cookie Law Bar 1.2.1 Stored XSS via clb_bar - CVE-2021-47955
CouchCMS 2.2.1 Cross-Site Scripting via SVG File Upload - CVE-2021-47934
MyBB Timeline Plugin 1.0 Cross-Site Scripting and CSRF
V. Comments for CVE-2026-5361
No comments yet