Stored Cross-Site Scripting Vulnerability in Envira Gallery Lite by WordPress
CVE-2026-5361

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-5361?

The Envira Gallery Lite plugin for WordPress has a vulnerability that enables authenticated attackers with Author-level access and higher to execute arbitrary web scripts through stored cross-site scripting. This flaw arises from inadequate input sanitization in the update_gallery_data() function and improper output escaping in the gallery_init() function. Specifically, the arrows parameter is not sanitized correctly, leading to the potential for JavaScript expression injection when the value is output in the inline JavaScript configuration, posing significant security risks to site users.

Affected Version(s)

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More 0 <= 1.12.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/envira-gallery...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 1, 2026

Credit

Athiwat Tiprasaharn

Itthidej Aramsri

CVE-2026-5361 Data

JSON