Stored Cross-Site Scripting Vulnerability in Gallagher Website Design Plugin for WordPress
CVE-2026-1913

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Gallagher Website Design
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-1913?

The Gallagher Website Design plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) due to inadequate input sanitization and output escaping of the 'prefix' attribute within the login_link shortcode. This vulnerability affects all versions up to and including 2.6.4, allowing authenticated attackers with Contributor-level access or higher to inject malicious scripts. When other users access compromised pages, these scripts will execute in their browsers, potentially leading to unauthorized actions or data exposure.

Affected Version(s)

Gallagher Website Design 0 <= 2.6.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/gallagher-webs...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Feb 4, 2026

Credit

Djaidja Moundjid

CVE-2026-1913 Data

JSON