PT-2026-40849 · WordPress · Envira Gallery Lite

Athiwat Tiprasaharn

+1

·

Published

2026-05-14

·

Updated

2026-05-14

·

CVE-2026-5361

CVSS v3.1

6.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Envira Gallery Lite versions prior to 1.12.5
Description Stored Cross-Site Scripting is possible via the REST API due to insufficient input sanitization in the update gallery data() function and improper output escaping in the gallery init() function. Specifically, the sanitize config values() function fails to sanitize the arrows parameter, only processing justified gallery theme and justified row height. When the arrows value is output in the inline JavaScript configuration, the use of esc attr()—which is intended for HTML attributes rather than JavaScript contexts—allows for JavaScript expression injection. Authenticated attackers with Author-level access or higher can inject arbitrary web scripts that execute when a user visits the affected page.
Recommendations Update to a version later than 1.12.4. As a temporary workaround, restrict access to the REST API or limit user permissions to prevent users with Author-level access from modifying gallery data.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-5361

Affected Products

Envira Gallery Lite