CVE-2026-4300

Name of the Vulnerable Software and Affected Versions Robo Gallery versions through 5.1.3

Description The Robo Gallery plugin for WordPress is susceptible to Stored Cross-Site Scripting via the 'Loading Label' setting. The plugin utilizes a custom |***...***| marker pattern within its fixJsFunction() method to embed raw JavaScript function references into JSON-encoded configuration objects. The json encode() function wraps string values in double quotes, and the fixJsFunction() method removes the |*** and ***| sequences, effectively converting a JSON string value into raw JavaScript code. The 'Loading Label' field, stored as rbs gallery LoadingWord post meta, is sanitized with sanitize text field() on save, which strips HTML tags but not the custom markers. Inputting |***alert(document.domain)***| allows the value to pass sanitization, be stored in post meta, and be output within an inline , resulting in arbitrary JavaScript execution. Galleries use capability type => 'post', allowing Author-level users and above to create galleries and inject scripts into pages containing the gallery shortcode.

Recommendations Versions prior to 5.1.4 should be updated.