Stored Cross-Site Scripting in SimpLy Gallery Block & Lightbox Plugin for WordPress
CVE-2026-5743

6.4MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
11 July 2026

What is CVE-2026-5743?

The SimpLy Gallery Block & Lightbox plugin for WordPress is affected by a Stored Cross-Site Scripting vulnerability that allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts via insufficiently sanitized block attributes. The vulnerability arises from a flaw in the input sanitization process of the sliderMaxHeight block attribute in the pgc_sgb_render_callback() function. Due to a poorly constructed regex pattern, the sanitization function fails to filter out unquoted event handlers, enabling adversaries to execute malicious scripts when a user accesses an affected page.

Affected Version(s)

SimpLy Gallery 0 <= 3.3.3.1

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhammad Yudha - DJ
.