Stored Cross-Site Scripting Vulnerability in Meta-box GalleryMeta Plugin for WordPress
CVE-2026-1302

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Meta-box Gallerymeta
Vendor: CVE Published:; 24 January 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-1302?

The Meta-box GalleryMeta plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability that affects all versions up to and including 3.0.1. This issue arises from inadequate input sanitization and output escaping within the admin settings. Authenticated attackers with at least editor-level permissions can exploit this vulnerability to inject harmful web scripts into pages. These malicious scripts will be executed when any user accesses the compromised page. Notably, the vulnerability impacts multi-site installations and those instances where the unfiltered_html option has been disabled, increasing the risk of exploitation.

Affected Version(s)

Meta-box GalleryMeta 0 <= 3.0.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Lang_path
Created by ekomsSavior

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/meta-box-galle...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Mar 21, 2026
👾
Exploit known to exist
Mar 21, 2026
Vulnerability published
Jan 24, 2026
Vulnerability Reserved
Jan 21, 2026

Credit

Kazuma Matsumoto

CVE-2026-1302 Data

JSON