CVE-2026-1913

Name of the Vulnerable Software and Affected Versions Gallagher Website Design versions prior to 2.6.5

Description The plugin is susceptible to Stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. The issue exists within the 'login link' shortcode due to inadequate input sanitization and output escaping of the prefix attribute. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page.

Recommendations Update to a version later than 2.6.4. As a temporary workaround, restrict the use of the prefix attribute within the 'login link' shortcode for users with Contributor-level access.