CVE-2026-4085

Name of the Vulnerable Software and Affected Versions Easy Social Photos Gallery versions prior to 3.1.3

Description Stored Cross-Site Scripting is possible due to insufficient input sanitization and output escaping of user-supplied attributes. The plugin uses the sanitize text field() function instead of esc attr() when outputting the wrapper class attribute of the 'my-instagram-feed' shortcode within a double-quoted HTML class attribute. Because sanitize text field() does not encode double quotes, authenticated attackers with contributor-level access or higher can break out of the class attribute to inject arbitrary HTML event handlers and web scripts that execute when a user visits the affected page.

Recommendations Update to a version newer than 3.1.2. As a temporary workaround, restrict the use of the wrapper class attribute in the 'my-instagram-feed' shortcode.